A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called
RDStealer. "The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie
said in a technical report shared with The Hacker News.
In the early phases, the operation relied on readily available remote access trojans like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection.
A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads. One of the sub-folders in question is "C:\Program Files\Dell\CommandUpdate," which is the directory for a legitimate Dell application called Dell Command | Update.
Bitdefender said all the machines infected over the course of the incident were manufactured by Dell, suggesting that the threat actors deliberately chose this folder to camouflage the malicious activity. This line of reasoning is bolstered by the fact that the threat actor registered command-and-control (C2) domains such as "dell-a[.]ntp-update[.]com" with the goal of blending in with the target environment.
The intrusion set is characterized by the use of a server-side backdoor called RDStealer, which specializes in gathering clipboard content and keystroke data from the host. But what makes it stand out is its capability to "monitor incoming RDP [Remote Desktop Protocol] connections and compromise a remote machine if client drive mapping is enabled."
