Consider following on social media!
Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!
Photo by Moose Photos, please support by following @pexel.com
Here we go again, with a well-known product and manufacturer comes the threat of great risk. This one is especially true if you part take in the use of Dells’ computers.
Information stealing malware isn’t anything new but with the current economy and threat actors wanting your information, the use of them has been on the rise.
We’re going to look at what kind of attack this is, who is using it, the functionality and effects upon release, and what are some ways you can at least try to keep your information safeguarded from this erection of threats.
Photo by Clem Onojeghuo, please support by following @pexel.com
The Attack
The newest and hottest malware on the market looking to capture the heart of your data and forward it to the hands of someone else is called RDStealer. RDStealer does this by infecting the RDP server and watching the connections taking place.
For those unfamiliar with RDP, which is Remote Desktop Protocol, this is the network connection protocol that was offered by Microsoft, its purpose is to allow users to perform remote operations on other computers.
There has been some confusion about RDP vs VPN (Virtual Private Network) but in an effort to clear things up the difference is this, VPNs offer access to all resources on the network, these are items like file servers, printers, and company/organization websites meanwhile RDP offers only access to the resources on the given computer it’s connected to. In short, VPN access the network, and RDP access the computer.
Photo by Pixabay, please support by following @pexel.com
Who Can It Be Now
At the moment of its “RedClouds” campaign, there is no one individual or group named for making use of RDStealer. However, while it’s campaigning its RedClouds, the malware will run a check to see if it detects a remote machine connected to a server and CDM (Client Drive Mapping). If “Enabled client drive mapping” is not enabled, then the client will deny the connection to the client’s file system. Meaning no check, no go.
RDStealer can collect keystrokes, and copy information from the clipboard data, and another dangerous thing to note is that it can target regardless of being client or server-side. When a network is infected, files in both “%WinDir%\System32%” and %PROGRAM-FILES% are filled in and could be filled with files and folders that could be excluded in a full-system scan.
This means these malicious files could hide under the radar during a scan. Afterward, there are a number of attack vectors, aside from the CDM, RDStealer can begin from web advertisements, email attachments, and social engineering methods. Moreover, like your hair, if you have any, don’t let your guard down as there will likely be more variety in the days to come.
Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?
Photo by Craig Adderley, please support by following @pexel.com
The Sinking Feeling
Speaking on variety, it has been noted that threat actors use a custom version of this malware which utilizes the redirection feature which is done by watching the RDP connection and auto stealing from the local drives once a connection is made.
There are five modules that make up RDStealer which are a keylogger, persistence establisher, data theft, and exfiltration staging model, a clipboard content capturing tool, and one controlling encryption/decryption functions, logging, and file manipulation utilities.
Out of all this just know that it’s recording every move made and can possibly deny access to certain information via encryption. Once activated the malware enters an infinite loop calling the “diskMounted” function, this checks the availability of the drives on the tsclient network shares.
If the malware finds any connection, it then notifies the command-and-control (C2) server and begins pulling data from the connection with the RDP client. This is that “having a roommate who is a few months behind on rent move out and take a couple of your belongings before they go” kind of situation.
Just be aware, things may be a tad bit different the next time you turn your computer on.
Photo by Mati Mango, please support by following @pexel.com
The Prevention
It is safe to assume that if you have used a remote desktop via RDP that at some junction your system has been exposed to the RedClouds campaign.
It is hard to catch RDStealer manually, but you can better protect your system by using tighter security protocols and performing full-system scans often. While it has been noted this malware particularly goes after Dell computers given that it is coded to run in the Dell directories it is best practice to exercise caution while on the web. Using a 2MFA (Multi-factor Authentication) when abled as this will make it less appealing for threat actors because they have more to try to work around. And finally, encryption of your information is a must as this also helps ward off threats like RDStealer. Your information may be in the cloud but that doesn’t mean RedClouds should have unauthorized access to it.
Photo by Samson Katt, please support by following @pexel.com
Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.
Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.
Do you feel like there is something I may have missed on RDStealer? Script a comment below.
