New Custom Malware Attacking Remote Desktop Protocol Clients to Steal Data

New Custom Malware Attacking Remote Desktop Protocol Clients to Steal Data

New custom malware attacking Remote Desktop Protocol clients to steal sensitive login credentials.

Recently, the ‘RedClouds’ cyberespionage campaign steals data from shared drives via RD connections using the ‘RDStealer’ malware.

Read moreBuilding cyber skills and roles from CyBOK foundations

Bitdefender Labs discovered this malicious cyberespionage campaign and it has been identified that the hackers have been actively targeting systems since 2022 in East Asia.

The campaign’s creators are unknown, but they have similar interests to China and possess advanced skills like government-sponsored APT groups.

Read moreAccessibility as a cyber security priority

The hackers in this campaign have been active since 2020 with several active traces. While initially, they started with ready-made tools, but, later in 2021, they shifted to their own custom malware.

Custom Malware Attacking RDP

With the help of Microsoft’s RDP protocol, you can establish remote connections to Windows computers and seamlessly control them, simulating an in-person experience.

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

Here below we have mentioned the main goals of this Malware Attacking Remote Desktop:-

Steal credentials

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

Exfiltration of data

The threat actors have used several malicious tools in this campaign and here below we have mentioned all the locations that are used by them to hide their tools:-

Read moreS3 Ep135: Sysadmin by day, extortionist by night

c:windowssystem32

c:windowssystem32wbem

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

c:windowssecuritydatabase

%PROGRAM_FILES%f-securepsbdiagnostics

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

%PROGRAM_FILES_x86%dellcommandupdate

%PROGRAM_FILES%dellmd storage softwaremd configuration utility

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

To make the malware appear genuine, attackers frequently choose the following two locations, which are typically used for legitimate software:-

%PROGRAM_FILES% 

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

%PROGRAM_FILES_x86%

While apart from this, the malware was also discovered in the following folder where Windows keeps its security files:-

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

c:windowssecuritydatabase

Threat actors opted for this location likely to avoid detection and mask their presence as legit.

Read more6 Ways to Mitigate Risk While Expanding Access

To maintain persistence, the Logutil backdoor took advantage of the Winmgmt service in an indirect manner.

The exploitation was made possible by utilizing DLL Hijacking, aided by the presence of the malicious loader at the following location:-

Read moreHypervisors and Ransomware: Defending Attractive Targets

%SYSTEM32%wbemncobjapi.dll

The “Microsoft WMI Provider Subsystem” DCOM is used in this campaign and it’s been revealed due to the Winmgmt behavior. It’s mainly found in the following location:-

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

c:windowssystem32wbemwmiprvsd.dll

The wmiprvsd.dll file needs the ncobjapi.dll file to work, and this file is mainly located in:-

Read moreEducating Your Board of Directors on Cybersecurity

c:windowssystem32

However, due to the way the DLL search order works, the %SYSTEM32%wbem folder is checked first, allowing it to load the malicious loader.

Read morePersonal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

The current threat actors have a unique method of DLL sideloading. Instead of using ncobjapi.dll as the final payload, they use other DLL files like bithostw.dll located in “c:windowssystem32” or “c:windowssystem32wbem”.

Packages Used in Attack

According to the report shared with Cyber Security News, the following are the packages used:-

Read moreMany Vulnerabilities Found in PrinterLogic Enterprise Software

cli: Implements the capture of the clipboard content by using windows API such as OpenClipboard and GetClipboardData.

key: Implements keystroke capture alongside window name.

Read moreIndustrial Giant ABB Confirms Ransomware Attack, Data Theft

main: Acts as the orchestrator and uses the package modules to perform persistence setup and start the routine for data collection if certain conditions are met.

modules: Implements different functions used for collecting and staging the data for further exfiltration.

Read moreOrganizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation

utils: Implements encryption and decryption functions, file attribute manipulation, and log function

Modules

RDP Attack Execution

The Logutil is a Go-based backdoor that allows someone to control the victim’s network.

Read moreGoogle Cloud Users Can Now Automate TLS Certificate Lifecycle

It can download/upload files and execute commands to maintain a foothold in the victim’s network.

The main.Log function in Logutil starts by decrypting the stored config string, which is encoded as base64, and here the decoded result is decrypted using an XOR-byte operation.

Read moreZyxel Firewalls Hacked by Mirai Botnet

Threat actors infect remote desktop servers with a custom RDStealer malware, which takes advantage of a feature in the Remote Desktop Protocol called “device redirection.”

To accomplish this, it keeps track of RDP connections and as soon as they are linked to the RDP server it automatically extracts data from local drives.

Read moreWatch Now: Threat Detection and Incident Response Virtual Summit

Here below we have mentioned all the commands that are supported by Logutil:-

Moreover, Logutil’s command and control (C2) framework, as discovered by the researchers, includes mentions of ESXi and Linux.

Read moreNCC Group Releases Open Source Tools for Developers, Pentesters

This suggests that the malicious actors are probably leveraging the flexibility of the Go programming language to develop a backdoor that can operate on multiple platforms.

Looking For an All-in-One Multi-OS Patch Management Platform – Try Patch Manager Plus.

Read moreMemcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation

The post New Custom Malware Attacking Remote Desktop Protocol Clients to Steal Data appeared first on Cyber Security News.

   Read More 

Read morePyPI Enforcing 2FA for All Project Maintainers to Boost Security

Cyber Security News 

Related Posts

Picking fights and gaining rights, with Justin Brookman: Lock and Code S05E09

Picking fights and gaining rights, with Justin Brookman: Lock and Code S05E09

[[{“value”:”

This week on the Lock and Code podcast…

Our Lock and Code host, David Ruiz, has a bit of an apology to make:

“Sorry for all the depressing episodes.”

When the Lock and Code podcast explored online harassment and abuse this year, our guest provided several guidelines and tips for individuals to lock down their accounts and remove their sensitive information from the internet, but larger problems remained. Content moderation is failing nearly everywhere, and data protection laws are unequal across the world.

When we told the true tale of a virtual kidnapping scam in Utah, though the teenaged victim at the center of the scam was eventually found, his family still lost nearly $80,000.

And when we asked Mozilla’s Privacy Not Included team about what types of information modern cars can collect about their owners, we were entirely blindsided by the policies from Nissan and Kia, which claimed the companies can collect data about their customers’ “sexual activity” and “sex life.”

(Let’s also not forget about that Roomba that took a photo of someone on a toilet and how that photo ended up on Facebook.)

In looking at these stories collectively, it can feel like the everyday consumer is hopelessly outmatched against modern companies. What good does it do to utilize personal cybersecurity best practices, when the companies we rely on can still leak our most sensitive information and suffer few consequences? What’s the point of using a privacy-forward browser to better obscure my online behavior from advertisers when the machinery that powers the internet finds new ways to surveil our every move?

These are entirely relatable, if fatalistic, feelings. But we are here to tell you that nihilism is not the answer.

Today, on the Lock and Code podcast, we speak with Justin Brookman, director of technology policy at Consumer Reports, about some of the most recent, major consumer wins in the tech world, what it took to achieve those wins, and what levers consumers can pull on today to have their voices heard.

Brookman also speaks candidly about the shifting priorities in today’s legislative landscape.

“One thing we did make the decision about is to focus less on Congress because, man, I’ll meet with those folks so we can work on bills, [and] there’ll be a big hearing, but they’ve just failed to do so much.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

“}]]   Read More 

Malwarebytes