Exposing RDStealer Deep Dive into a Targeted Cyber-Attack Against East-Asia Infrastructure

Modern cyber-crime rings are becoming increasingly attracted to the use of legitimate components to achieve their goals. Execution of malicious components via DLL hijacking and persisting on affected systems by abusing legitimate scheduled tasks and services are just a few examples of their agility and focus.

State-affiliated actors such as the notorious APT29 group have successfully used this approach in the past by switching a binary responsible for updating Adobe Reader with a malicious component to abuse the corresponding scheduled task used for running the binary, and ultimately, to achieve persistence. Another strategy that aims to make the attackers keep a low profile is the use of locations that are less likely to be suspected to accommodate malware, and which are more likely to be excepted from security solution scrutiny.

We identified these behaviors in a recent incident investigated by Bitdefender researchers, where a presumably custom malware tracked by Bitdefender as Logutil backdoor was deployed. The operation was active for more than a year with the end goal of compromising credentials and data exfiltration.

Our investigation revealed that the operation started at least since early 2022. During this time, the attackers attempted to load their tools through multiple means, the Logutil being their main tool of choice. AsyncRat was also used at the earlier stages of infection.

Based on used infrastructure, it was established that CobaltStrike is another tool from the attackers’ arsenal. The target of this operation was a company activating in the Technology/IT Services industry in East Asia.

Key findings

• DLL search order Hijacking involving the Microsoft WMI Provider Subsystem DCOM and %SYSTEM32%\wbem\ncobjapi.dll loader
• Use of locations that are less likely to be suspected to contain malware and that are more likely to be excepted from scanning by the security solutions
• Use of tools capable of collecting credential material from various applications such as MobaXterm, mRemoteNG, KeePass, Chrome passwords and history, and many others
• Attempts of exfiltrating mysql data by accessing the server process memory and attempts of dumping LSASS memory
• Capabilities to infect other systems in case a RDP session was established to the already infected system by placing malicious components to the \\tsclient\c\ subfolders if tsclient share was enabled.

Indicators of Compromise

An up-to-date, complete list of indicators of compromise is available to  Bitdefender Advanced Threat Intelligence  users. Currently known indicators of compromise can be found in the whitepaper below.

Download the whitepaper