Cyber attack in East Asia: malware infiltration for over a year

A particular IT corporation based in East Asia fell prey to a sophisticated cyber attack meticulously designed and executed over a period exceeding one year. This cyber espionage operation involved deploying a unique piece of malware, RDStealer, coded using the Golang language. The cyber criminals had the primary intent of obtaining sensitive credentials and performing data theft, as elucidated by Victor Vrabie, a security researcher at Bitdefender, in his shared technical analysis with The Hacker News.

Unraveling the chronology and evolution of the attack

According to evidence gathered by Bitdefender, a Romanian cybersecurity entity, the onslaught began sometime in early 2022. Initially, the attackers exploited commonly available remote access trojans such as AsyncRAT and Cobalt Strike. However, by the end of 2021 or early 2022, the assailants switched to their custom-made malware, making their activities more challenging to detect and combat.

Evasion techniques and payload deployment

The attackers utilized a strategic evasion tactic involving the concealment of their backdoor payloads in Microsoft Windows folders (such as System32 and Program Files). These specific folders are typically overlooked by security software during scanning, making them an effective hideout for malicious code. The distinguishing feature of the RDStealer malware was its ability to monitor incoming Remote Desktop Protocol (RDP) connections and compromise any remote machine with enabled client drive mapping. Upon detection of a new RDP client connection, RDStealer would execute commands to steal sensitive data, including credentials, browsing history, and private keys from applications like mRemoteNG, KeePass, and Google Chrome.

Continuous threat evolution and implications

In a follow-up analysis, Marin Zugec from Bitdefender noted that this incident underlines the relentless pursuit of cyber criminals for credentials and established connections to other systems. Additionally, the infiltrating RDP clients were infected with another Golang-based custom malware, Logutil, ensuring a long-term presence within the victim's network. By using DLL side-loading techniques and facilitating command execution, the hackers maintained their stealthy foothold. Although little is known about the actors behind this threat, it's clear they have been active since at least 2020. Zugec emphasized that this attack is a testament to the escalating complexity of contemporary cyber attacks, illustrating the opportunistic exploitation of older, universally adopted technologies by sophisticated cyber criminals.