Go is known for its strong cross-platform support, allowing malware authors to create malicious code that can run on multiple operating systems. Multiple DLL libraries are chained together as part of the sideloading attack, chosen locations blend well into the system, and the sideloading process itself is initiated through the clever utilization of the WMI subsystem.īoth RDStealer and Logutil malware samples are written in the Go programming language. However, the level of disguise observed in this campaign surpasses anything witnessed thus far. Connecting RDP clients are infected with Logutil backdoor (another custom malware), and sensitive data (such as credentials or private keys) is exfiltrated.ĭLL sideloading ( read our tech explainer ) has emerged as one of the most prevalent stealth techniques in recent years. This server-side implant is monitoring incoming Remote Desktop Protocol (RDP) connections with client drive mapping enabled. The most interesting discovery in this research is a new custom malware we named RDStealer. Despite trying various methods, we have been unable to attribute these attacks to a specific threat actor, but the target aligns with the interest of China-based threat actors. This operation was ongoing since at least the beginning of 2022, showing a high level of sophistication typically associated with state-sponsored groups. In June 2023, Bitdefender Labs published a research paper about espionage operation in East Asia.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |