A targeted cyber-attack against an East Asian IT company utilized a custom malware called RDStealer, written in Golang. Known as RedClouds, the campaign began in early 2022 and specifically targeted the interests of China-based threat actors. “The operation was active for more than a year with the end goal of compromising credentials and data exfiltration,” Bitdefender security researcher Victor Vrabie said in a technical report.
In the initial stages, the attackers relied on readily available remote access and post-exploitation tools like AsyncRAT and Cobalt Strike. However, they later shifted to bespoke malware to evade detection.
To avoid being detected by security software, the attackers employed several anti-detection methods. One tactic involved utilizing Microsoft Windows folders that are typically excluded from scanning, such as “C:\Program Files\Dell\CommandUpdate.” This folder is associated with a legitimate Dell application further camouflaging the malicious activity, as all the infected machines were manufactured by Dell.
The threat actors further attempted to blend in with the target environment by registering command-and-control (C2) domains like “dell-a[.]ntp-update[.]com.” By doing so, they aimed to appear as legitimate entities within the network.
Dave Ratner, CEO, HYAS had this to say:
“Malicious actors continue to find new mechanisms to cover their tracks, evade detection, and even masquerade their command-and-control communication. It’s further proof that advanced Protective DNS with unique knowledge of what is, and isn’t, adversarial infrastructure is a critical layer in a modern security stack. as recommended by CISA and others. Increasingly, it’s clear that detection of the beaconing behavior is the best way to drive the time required from infection to detection and remediation as close to zero as possible.”
The best way to stop attacks is to detect them before the threat actors have a chance to set up shop within your environment. Thus any steps that you can take to do that will only help you in the long run.