For HomeFor BusinessFor Partners
Anti-Malware Research Whitepapers
2 min read

Exposing RDStealer Deep Dive into a Targeted Cyber-Attack Against East-Asia Infrastructure

Victor VRABIE

June 20, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Exposing RDStealer Deep Dive into a Targeted Cyber-Attack Against East-Asia Infrastructure

Modern cyber-crime rings are becoming increasingly attracted to the use of legitimate components to achieve their goals. Execution of malicious components via DLL hijacking and persisting on affected systems by abusing legitimate scheduled tasks and services are just a few examples of their agility and focus.

State-affiliated actors such as the notorious APT29 group have successfully used this approach in the past by switching a binary responsible for updating Adobe Reader with a malicious component to abuse the corresponding scheduled task used for running the binary, and ultimately, to achieve persistence. Another strategy that aims to make the attackers keep a low profile is the use of locations that are less likely to be suspected to accommodate malware, and which are more likely to be excepted from security solution scrutiny.

We identified these behaviors in a recent incident investigated by Bitdefender researchers, where a presumably custom malware tracked by Bitdefender as Logutil backdoor was deployed. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.

Our investigation revealed that the operation started at least since early 2022. During this time, the attackers attempted to load their tools through multiple means, the Logutil being their main tool of choice. AsyncRat was also used at the earlier stages of infection.

Based on used infrastructure, it was established that CobaltStrike is another tool from the attackers’ arsenal. The target of this operation was a company activating in the Technology/IT Services industry in East Asia.

Key findings

  • DLL search order Hijacking involving the Microsoft WMI Provider Subsystem DCOM and %SYSTEM32%\wbem\ncobjapi.dll loader
  • Use of locations that are less likely to be suspected to contain malware and that are more likely to be excepted from scanning by the security solutions
  • Use of tools capable of collecting credential material from various applications such as MobaXterm, mRemoteNG, KeePass, Chrome passwords and history, and many others
  • Attempts of exfiltrating mysql data by accessing the server process memory and attempts of dumping LSASS memory
  • Capabilities to infect other systems in case a RDP session was established to the already infected system by placing malicious components to the \\tsclient\c\ subfolders if tsclient share was enabled.

Indicators of Compromise

An up-to-date, complete list of indicators of compromise is available to  Bitdefender Advanced Threat Intelligence  users. Currently known indicators of compromise can be found in the whitepaper below.

Download the whitepaper

tags

Anti-Malware Research Whitepapers

Author

Victor VRABIE

Victor VRABIE

Victor VRABIE is a security researcher at Bitdefender Iasi, Romania. Focusing on malware research, advanced persistent threats and cybercrime investigations, he's also a graduate of Computer Sciences.

View all posts

Right now Top posts

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware
Anti-Malware Research

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

June 08, 2023

5 min read
Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series
IoT Research Whitepapers

Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series

May 02, 2023

2 min read
EyeSpy - Iranian Spyware Delivered in VPN Installers
Anti-Malware Research Whitepapers

EyeSpy - Iranian Spyware Delivered in VPN Installers

January 11, 2023

2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Anti-Malware Research Free Tools

Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor

January 05, 2023

1 min read

FOLLOW US ON SOCIAL MEDIA

You might also like

AI meets next-gen info stealers in social media malvertising campaigns
Anti-Malware Research Scam Research

AI meets next-gen info stealers in social media malvertising campaigns
When Stealers Converge: New Variant of Atomic Stealer in the Wild
Anti-Malware Research

When Stealers Converge: New Variant of Atomic Stealer in the Wild
Andrei LAPUSNEANU

February 27, 2024

6 min read
Details on Apple’s Shortcuts Vulnerability: A Deep Dive into CVE-2024-23204
Anti-Malware Research

Details on Apple’s Shortcuts Vulnerability: A Deep Dive into CVE-2024-23204
Jubaer Alnazi JABIN

February 22, 2024

4 min read

Bookmarks

loader