China-Centric RedClouds Campaign Targeting RDP

A new hacking campaign being tracked as ‘RedClouds’ uses a custom ‘RDStealer’ malware to steal data from drives shared through RDP connections automatically. Security researchers have been tracking these threat actors targeting systems since 2022.

RedClouds’ tactic involves stealing data from drives shared via Remote Desktop Protocol (RDP), a widely used technology in workplaces, IT support, and system administration. What’s intriguing is that the malware’s interests seem to align with China and display sophistication typical of a state-sponsored Advanced Persistent Threat (APT) operation.

The RDStealer malware is deployed to infect remote desktop servers. It operates in an infinite loop, continually checking for available drives on the network shares. Upon finding drives, the malware notifies the control server and initiates data exfiltration. This operation allows for a significant data breach, focusing particularly on credentials that could enable lateral movement within a network.

This threat campaign initially focused on East Asia but is expanding. Considering the extensive usage of RDP globally, the threat is extended across all regions. The nature of the data they target, SSH keys and password databases, suggests an intention to perform cyber espionage or potentially trigger ransomware attacks.

Acreto Solution

Acreto’s Ecosystem solution can be used against an attack such as RedClouds in the following ways:

• Ecosystem Segmentation By limiting access only to users, devices, systems, and applications that need to interoperate together, Acreto’s ecosystems can limit the possible exposure to attacks.

• Eliminate Attack Surface Acreto’s ecosystems can eliminate any and all access from the Internet while still allowing ecosystem members to interoperate with authorized systems and applications. This can prevent direct attacks from the Internet on sensitive RDP servers.

• Micro and Nano-Segmentation Isolating individual or groups of systems on a shared network or entire networks, can limit access only to systems that need to interoperate together, making it more difficult for threat actors to move laterally in a network once they gain access.

• Secure Scan Acreto’s Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time, blocking any malicious content embedded in the encrypted payload.

• Access Control Acreto’s solution provides a variety of access controls based on user and device identity, network protocols, application protocols, and application programs.

• Content Control Controls can be applied based on content categories and file type uploads/downloads, aiding in preventing data leaks.

• Change and Policy Management Different Ecosystems operate completely independently from one another, simplifying change management and policy management processes. This can help in faster response and adaptation to emerging threats.

Contact Acreto today for more information or to evaluate Ecosystem security for your organization.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

• Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.

• Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

• User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations’ Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.

• Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.

• Credit Cards Upload / Download Controls

• Social Security Number Upload / Download Controls

• RegEx Pattern Upload / Download Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanisms of Attack

• The attack exploits the Remote Desktop Protocol (RDP), a Microsoft protocol that allows users to remotely connect to Windows desktops.

• The protocol includes a feature called ‘device redirection’, which allows local drives, printers, and other devices to connect with the remote host.

• These shared resources can be accessed via a ‘\tsclient’ network share, which can then be mapped to drive letters in the RDP connection.

• Threat actors infect remote desktop servers with RDStealer malware which monitors RDP connections and automatically steals data from local drives once they’re connected to the RDP server.

• RDStealer comprises five modules: a keylogger, a persistence establisher, a data theft and exfiltration staging module, a clipboard content capturing tool, and a module controlling encryption/decryption functions, logging, and file manipulation utilities.

• Upon activation, RDStealer continually checks for the availability of drives on the \tsclient network shares. If it finds any, it notifies the C2 server and starts exfiltrating data.

• RDStealer specifically targets locations and filename extensions that include the KeePass password database, SSH private keys, Bitvise SSH client, MobaXterm, mRemoteNG connections, aiming for credentials that can be used for lateral movement.

• On other drives, RDStealer will scan everything, except certain locations unlikely to host valuable data.

• The malware is found in specific folders, often excluded from scanning by security solutions.

• Stolen data are stored locally as encrypted strings in the “C:\users\public\log.log” file until they are transmitted to the attackers’ servers.

• The final stage of RDStealer’s execution is to activate two DLL files, the Logutil backdoor (“bithostw.dll”) and its loader (“ncobjapi.dll”).

• The campaign also uses a custom Go-based backdoor named Logutil allowing remote execution of commands and file manipulation on an infected device.

• Logutil uses passive and active DLL sideloading flaws to run on a breached system undetected and uses the Windows Management Instrumentation (WMI) as an activation trigger.

• Logutil communicates directly with the C2, and obtains commands to execute. The C2 contains references to ESXi and Linux, suggesting multi-platform backdoor capabilities.

 

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.