Cybercriminals have been employing a newly discovered custom tool called RDStealer that targets the client drive mapping feature of Remote Desktop Protocol (RDP) in order to deploy data exfiltration malware against the connecting clients.
RDStealer has been used as part of an espionage attack that has impacted an unnamed victim in East Asia. While the threat actors initially leveraged publicly available tools - such as AysncRat and Cobalt Strike - in their attacks, they eventually shifted their tooling to include custom malware in a likely effort to evade detection, said researchers. Researchers do not have further details about how attackers initially were able to infect the victim.
“This operation was ongoing since at least the beginning of 2022, showing a high level of sophistication typically associated with state-sponsored groups,” said Martin Zugec, technical solutions director at Bitdefender, in a Tuesday analysis. “Despite trying various methods, we have been unable to attribute these attacks to a specific threat actor, but the target aligns with the interest of China-based threat actors.”
Malware Targets Client Drive Mapping
RDStealer includes a capability that specifically targets the client drive mapping feature within RDP, which displays the local drives of the client machine within the remote desktop session. The malware monitors the client drive mapping feature for different drives (C, D, E, F, G or H drives) that represent individual disks of the connected RDP client. If it detects any of these drives, it deploys a backdoor, called Logutil, to the connected RDP clients in order to exfiltrate data like credentials or certificates.
Zugec said that "to the best of our knowledge, there haven't been any reported cases of malware exploiting the client drive mapping functionality."
"While threat actors frequently leverage RDP as a means of initial infection, it is worth noting that their understanding of RDP access has been relatively limited," said Zugec. "Their activities have primarily revolved around acting as end users, showing little inclination to delve into the inner workings of RDP or similar remote protocols."
While client drive mapping is typically used by administrators to transfer files between the remote server and their admin workstation, users can also leverage it to access and transfer files between their local machine and the remote server. Researchers do not have further details about whether the compromised system was utilized for administrative access or regular user interactions, but they said “it is important to note that this technique is applicable in both scenarios.”
“Both the server and the client end must have this feature enabled in order to work, but it is common practice that clients (decentralized) have it permanently enabled, while the configuration is managed solely on the server end (centralized),” said Zugec. “This is a good reminder that zero trust does not involve only networks or authentication but is a more encompassing principle - servers located on an internal network are not necessarily more trustworthy than clients connecting remotely.”
Outside of its targeting of RDP client drive mapping, RDStealer contains modules for implementing a keylogger, manipulating files, and capturing content off of clipboards (via a Windows API). Other modules have encryption or decryption capabilities and the ability to implement various functions for collecting and staging data for further exfiltration.
The Logutil backdoor that is deployed by RDStealer also has a number of capabilities for maintaining a foothold in the victim’s network. The backdoor leverages DLL sideloading tactics to evade detection, including one technique where it abuses the Windows Management Instrumentation service in order to execute a malicious binary.
Here, the threat actors mimic a legitimate library (ncobjapi.dll) by placing a malicious loader with the same name into the %WinDir%\System32\wbem folder. The \wbem folder is checked for the existence of this library before the System32 library that holds the legitimate library, meaning that the malicious library is loaded first.
“This implant is highly effective to establish persistence on the system. It can be triggered by either WMI service (automatically started with multiple recovery actions), or through WMI host process,” said researchers. “The ncobjapi.dll library has been previously weaponized by other threat actors like Lazarus group or RadRat operators, but in this case it’s just part of the sideloading chain. The real payload (loaded by ncobjapi.dll loader) is bithostw.dll (Logutil).”
The use of RDStealer and Logtil in this attack shows how more cybercriminals are developing and deploying custom malware. Over the past year, researchers have documented a number of custom tools being used by threat actors, including the custom data exfiltration tool Exbyte developed last year by BlackByte and a customized networking-scanning tool used by the Play ransomware group.
“This transition to custom malware aligns with a growing trend observed among other threat actors, who have adjusted their evasion tactics as detection tools (like EDR or XDR) have become more widespread,” said Zugec.