RDStealer, a data-stealing malware, utilizes the Go programming language. This malware chain incorporates the Logutil backdoor, which establishes a system “backdoor” to advance the infection. Logutil, also developed using Go, is a cross-platform malware capable of infecting systems running Windows, Linux, and VMware ESXi.
RDStealer focus on various sensitive data types, but what sets this campaign apart is its ability to monitor and infect RDP (Remote Desktop Protocol) clients.
RDStealer-associated campaigns have been active since early 2022, indicating a highly sophisticated operation likely backed by a state-sponsored threat actor. While it is challenging to pinpoint the exact origin, the campaign’s targets align with Chinese interests.
The malware’s author is not new and was initially detected in 2020. Earlier attacks utilized AsyncRAT and Cobalt Strike, but later shifted to customized Malware like RDStealer and Logutil.
It is better to prevent, than repair and repent!
Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.
Overview of RDStealer malware
RDStealer campaigns exhibit a high level of sophistication, employing several techniques to avoid detection on compromised machines. This includes concealing the malware in folders that often bypass security solutions. For instance, an analysis of a Dell device infected with RDStealer revealed the malware in the following folders:
- %WinDir%\System32\
- %WinDir%\System32\wbem\
- %WinDir%\security\database\
- %PROGRAM_FILES%\f-secure\psb\diagnostics
- %PROGRAM_FILES_x86%\dell\commandupdate\
- %PROGRAM_FILES%\dell\md storage software\md configuration utility\
The selection of folders may vary, with the aim of evading detection by security tools.
Therefore, it is crucial to emphasize the importance of conducting full system scans. While “quick scan” options skip uncommon malware hiding spots, “complete” system scans thoroughly examine the entire device.
As mentioned earlier, RDStealer is a data-stealing malware that extracts and exfiltrates information from infected machines. This malicious program scans systems for various types of data and exfiltrates it from specific folders and applications.
The targeted data includes, but is not limited to, browsing history and saved login credentials from the Google Chrome browser, mRemoteNG (remote connections manager), MobaXterm (remote desktop client), and KeePass (password manager).
In addition, RDStealer possesses keylogging capabilities to record keystrokes and can extract clipboard content (data copied to the copy/paste buffer).
Moreover, the malware’s reach extends beyond the initial infection, as it can spread to other devices connected through RDP. By monitoring incoming RDP connections, the infection can be transmitted to remote machines, especially if client drive mapping is enabled. Drive mapping is often enabled in large networks for tasks like file sharing between servers.
If conditions are favorable, the Logutil backdoor infects the remotely connected device and subsequently installs RDStealer.
It’s worth noting that malware developers frequently enhance their creations, streamlining processes and adding additional functionalities. Therefore, future versions of RDStealer may possess different capabilities.
| Name | RDStealer |
| Damage | Severe privacy issues, financial losses, and the risk of identity theft. It can lead to the unauthorized extraction and exfiltration of sensitive data from infected machines, posing a significant threat to individuals and organizations. The malware’s capabilities, such as capturing login credentials and browsing history, can compromise personal and confidential information, potentially resulting in financial harm and the misuse of sensitive data. |
| Fix Tool | See If Your System Has Been Affected by RDStealer Virus |
In summary, high-risk malware infections like Logutil and RDStealer can lead to severe privacy issues, financial losses, and identity theft. When targeted at highly sensitive entities such as institutions, organizations, and governmental bodies, the consequences can be even more significant.
Examples of Stealer-type malware
Our recent research has covered numerous stealers, including FadeStealer, RustyStealer, Mystic Stealer, and Skuld.
Information-stealing software can focus on specific details or a wide range of data. Additionally, malicious functionalities are not mutually exclusive, allowing malware to possess different combinations of capabilities.
Regardless of the operating mechanisms of malicious software, its presence on a system jeopardizes device integrity and user safety. Therefore, immediate elimination of all threats upon detection is crucial.
How did RDStealer infiltrate my computer?
The precise method of RDStealer infiltration remains unknown. Generally, malware is propagated through phishing and social engineering techniques. In sophisticated campaigns targeting specific entities, such as RDStealer, these tactics are often tailored for the intended targets.
Malicious software is typically disguised as or bundled with ordinary program/media files. These files can be executables (.exe, .run, etc.), archives (ZIP, RAR, etc.), documents (Microsoft Office, Microsoft OneNote, PDF, etc.), JavaScript, and more. Once a malicious file is executed, run, or opened, the infection chain is triggered.
The most commonly used methods for distributing malware include malicious attachments/links in spam emails, drive-by (stealthy/deceptive) downloads, suspicious download channels (freeware and free file-hosting websites, P2P sharing networks, etc.), illegal software activation tools, fake updates, online scams, and malvertising.
Furthermore, certain malicious programs can self-propagate through local networks and removable storage devices (external hard drives, USB flash drives, etc.). RDStealer is capable of spreading to RDP-connected devices.
How to remove the RDStealer from my PC?
RDStealer malware is incredibly difficult to delete by hand. It puts its files in a variety of places throughout the disk, and can recover itself from one of the elements. Moreover, numerous alterations in the registry, networking configurations and also Group Policies are pretty hard to locate and revert to the initial. It is far better to make use of a specific program – exactly, an anti-malware program. GridinSoft Anti-Malware will fit the most ideal for malware elimination objectives.
Why GridinSoft Anti-Malware? It is pretty light-weight and has its detection databases updated nearly every hour. Additionally, it does not have such bugs and exploits as Microsoft Defender does. The combination of these aspects makes GridinSoft Anti-Malware ideal for getting rid of malware of any type.
Remove the RDStealer with GridinSoft Anti-Malware
- Download and install GridinSoft Anti-Malware. After the installation, you will be offered to perform the Standard Scan. Approve this action.
- Standard scan checks the logical disk where the system files are stored, together with the files of programs you have already installed. The scan lasts up to 6 minutes.
- When the scan is over, you may choose the action for each detected virus. For all files of RDStealer the default option is “Delete”. Press “Apply” to finish the malware removal.
Frequently Asked Questions (FAQ)
What is RDStealer?
RDStealer is a data-stealing malware designed to extract sensitive information from infected machines. It operates as a stealer and can infiltrate various systems.
How does RDStealer spread?
The exact method of RDStealer’s infiltration is unknown. However, malware typically spreads through phishing, social engineering techniques, and disguising itself within ordinary files or programs.
What systems are vulnerable to RDStealer?
RDStealer can infect systems running Windows, Linux, and VMware ESXi due to its cross-platform capabilities.
What data does RDStealer target?
RDStealer targets a range of sensitive data, including browsing history, saved login credentials, and information from applications such as Google Chrome, mRemoteNG, MobaXterm, and KeePass. It also has keylogging capabilities and can extract clipboard content.
How can I protect my system from RDStealer?
To protect against RDStealer and similar malware, it is important to employ robust security measures. This includes keeping your operating system and applications up to date, using reputable antivirus software, avoiding suspicious downloads and email attachments, and practicing safe browsing habits.
Can RDStealer infect other devices on a network?
Yes, RDStealer has the ability to spread to other devices connected through Remote Desktop Protocol (RDP) if client drive mapping is enabled. This can pose a risk to large networks with drive mapping enabled for file sharing between servers.
What are the potential consequences of an RDStealer infection?
RDStealer can lead to severe privacy issues, financial losses, and identity theft. If targeted at highly sensitive entities like institutions or governmental bodies, the consequences can be even more significant.
Are there variations of RDStealer with different capabilities?
Malware developers often enhance their creations over time. Future versions of RDStealer could potentially have different capabilities, streamlined processes, or additional functionalities.
How can I detect and remove RDStealer from my system?
Detecting and removing RDStealer requires robust antivirus software capable of identifying and eliminating the malware. Conducting full system scans, employing intrusion detection systems, and promptly addressing any suspicious activity can help in the detection and removal process..
What should I do if I suspect my system is infected with RDStealer?
If you suspect an RDStealer infection, it is crucial to isolate the affected system from the network, immediately run a comprehensive antivirus scan, and seek assistance from IT professionals to ensure proper mitigation and remediation of the threat.
The post RDStealer Malware Removal appeared first on How To Fix Guide.
This post first appeared on Useful Tips For Finding Viruses On Your Computer. Hope Is Not Lost! Follow Our Guides To Fix Your PC And Get Rid Of A Computer Virus., please read the originial post: here
