A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called RDStealer.
“The operation was active for more than a year with the end goal of compromising credentials and data exfiltration,” Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News.
Evidence gathered by the Romanian cybersecurity firm shows that the campaign started in early 2022. The target was an unspecified IT company located in East Asia.
In the early phases, the operation relied on readily available remote access trojans like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection.
A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads.
One of the sub-folders in question is “C:\Program Files\Dell\CommandUpdate,” which is the directory for a legitimate Dell application called Dell Command | Update.
Bitdefender said all the machines infected over the course of the incident were manufactured by Dell, suggesting that the threat actors deliberately chose this folder to camouflage the malicious activity.
This line of reasoning is bolstered by the fact that the threat actor registered command-and-control (C2) domains such as “dell-a[.]ntp-update[.]com” with the goal of blending in with the target environment.
The intrusion set is characterised by the use of a server-side backdoor called RDStealer, which specialises in continuously gathering clipboard content and keystroke data from the host.
Understanding the Nature of the Cyber Attack:
The year-long cyber attack on the IT firm was not your typical run-of-the-mill hacking incident. It was a meticulously planned and executed operation by a highly skilled group of cybercriminals. By gaining unauthorized access to the firm’s systems, the attackers were able to gather valuable data, compromise security protocols, and remain undetected for an extended period.
RDStealer Malware: Unveiling its Functionality:
RDStealer, the custom-built malware used in this cyber attack, proved to be a formidable weapon in the hands of the attackers. This section explores the various functionalities of RDStealer, including its ability to infiltrate systems, exfiltrate sensitive information, and establish remote control over compromised machines. We examine the techniques employed by the attackers to propagate the malware and evade detection.
Advanced Evasion Techniques:
The cybercriminals behind this attack employed advanced evasion techniques to bypass traditional security measures. From leveraging encrypted communication channels to exploiting zero-day vulnerabilities, the attackers demonstrated a deep understanding of cybersecurity protocols and effectively rendered many defense mechanisms useless. We discuss the significance of these evasion techniques and their implications for future cyber threats.
Impacts on the IT Firm and its Clients:
The repercussions of this cyber attack were far-reaching. The compromised IT firm faced severe consequences, including reputational damage, financial losses, and potential legal ramifications. Furthermore, the attack exposed the confidential data of the firm’s clients, putting them at risk of identity theft and other cyber-related crimes. We examine the aftermath of the attack and the steps taken by the firm to mitigate the damage and enhance its cybersecurity posture.
Conclusion:
The year-long cyber attack on the IT firm, orchestrated using the sophisticated RDStealer malware, underscores the increasing sophistication and persistence of cybercriminals. It emphasizes the critical need for organizations to remain vigilant, continuously adapt their security measures, and collaborate with cybersecurity experts to protect their valuable assets. By staying informed about such incidents and implementing robust mitigation strategies, businesses can mitigate the risks associated with cyber threats and safeguard their operations in an increasingly digital world.
