Researchers at S.C. Bitdefender SRL today warned of new custom malware actively targeting remote desktop protocol clients to steal data.

First noticed in its use as part of a state-sponsored East Asian espionage operation called RedClouds, the server-side implant, dubbed “RDStealer,” monitors RDP connections with client drive mapping enabled, infecting connecting RDP clients with a Logutil backdoor and exfiltrating sensitive data.

The RDStealer malware is notable because it employs an advanced dynamic link library sideloading technique. The stealth method is said to involve chaining together multiple DLLs that seamlessly integrate into the system, initiated via the Windows Management Instrumentation subsystem. The malware and its accomplice, Logutil, are coded in the Go programming language, enabling them to operate across various systems.

The Bitdefender Labs researchers claim that this is the first known instance of such an attack method, demonstrating an escalation in the sophistication of cybercriminal activities. The finding shows how threat actors are using new methods to exploit older, widely used technologies, underscoring the need for robust, multilayered security measures.

Although the report runs through the procedures of how RDStealer operates, the security recommendations to counter the risk of being compromised are relevant in terms of the broader security landscape.

The researchers argue that defense-in-depth architecture remains the most effective protection against modern cyberthreats. The defense-in-depth security approach employs multiple overlapping measures designed to guard against various threats.

Key to the strategy is mastering prevention capabilities, which include minimizing exposed attack surfaces, identifying and correcting vulnerabilities, and constantly updating access policies. Automated protection controls should be applied to all potential threat entry points, including next-generation antivirus and integrated reputation measures for intellectual property and web addresses and domains.

However, detection capabilities become vital if a threat actor bypasses those controls. The researchers emphasize the need for endpoint detection and response, extended detection and response or managed detection and response services that can minimize the timeframe during which a threat remains undetected.

It’s also noted that maintaining response capabilities across all these layers is crucial for reducing security risks. Maintenance can include applying patches, investigating potential security incidents or controlling damage after a breach. Undertaking such practices increases the odds of preventing cybersecurity incidents from becoming full-blown breaches.

Image: Bing Image Creator