RedClouds is a recently uncovered cyberespionage and hacking campaign that uses RDStealer malware to steal data from drives shared over Remote Desktop connections. The threat actors behind this campaign, whose identities remain unknown, exhibit advanced skills reminiscent of government-sponsored APT groups.
According to the researchers, the hackers involved in this campaign have been active since 2020, leaving behind several traces of their activities. Initially, they relied on off-the-shelf tools, but in 2021, they transitioned to their own custom-built malware.
Custom Malware Exploiting RDP
The Remote Desktop Protocol (RDP), developed by Microsoft, facilitates remote connections to Windows computers, enabling seamless control and a virtual in-person experience. However, the primary objectives of this malware are stealing credentials and exfiltrating data.
The threat actors employ various malicious tools throughout their campaign, concealing them in the following locations:
- c:\windows\system32\
- c:\windows\system32\wbem\
- c:\windows\security\database\
- %PROGRAM_FILES%\f-secure\psb\diagnostics
- %PROGRAM_FILES_x86%\dell\commandupdate\
- %PROGRAM_FILES%\dell\md storage software\md configuration utility\
To make the malware appear legitimate, the attackers frequently choose two commonly used locations for genuine software:
- %PROGRAM_FILES%
- %PROGRAM_FILES_x86%
Additionally, the malware was discovered in the following folder where Windows stores its security files:
- c:\windows\security\database\
By opting for this location, the threat actors aim to evade detection and mask their presence as legitimate.
To ensure persistence, the Logutil backdoor capitalizes on the Winmgmt service indirectly. The exploit leverages DLL Hijacking, facilitated by the presence of a malicious loader located at:
- %SYSTEM32%\wbem\ncobjapi.dll
The campaign utilizes the “Microsoft WMI Provider Subsystem” DCOM, which is revealed through the behavior of Winmgmt and primarily found in c:\windows\system32\wbem\wmiprvsd.dll.
For the wmiprvsd.dll file to function, it requires the ncobjapi.dll file, which is mainly located in c:\windows\system32. However, due to the DLL search order, the %SYSTEM32%\wbem\ folder is checked first, enabling the loading of the malicious loader.
Attack Packages Used
According to Cyber Security News, the following packages are utilized in the attack:
- cli: Implements clipboard content capture using Windows API functions such as OpenClipboard and GetClipboardData.
- key: Implements keystroke capture along with window name tracking.
- main: Acts as the orchestrator, setting up persistence and initiating data collection routines based on specific conditions.
- modules: Implements various functions to collect and stage data for subsequent exfiltration.
- utils: Implements encryption and decryption functions, file attribute manipulation, and logging.
Furthermore, researchers have discovered mentions of ESXi and Linux within Logutil’s command and control (C2) framework. This suggests that the malicious actors may be exploiting the versatility of the Go programming language to develop a backdoor capable of operating on multiple platforms.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.