Security News > 2023 > June > New RDStealer malware steals from drives shared over Remote Desktop
A cyberespionage and hacking campaign tracked as 'RedClouds' uses the custom 'RDStealer' malware to automatically steal data from drives shared through Remote Desktop connections.
The Remote Desktop Protocol is a proprietary Microsoft protocol that allows users to remotely connect to Windows desktops and use them as if they were in front of the computer.
The Remote Desktop Protocol includes a feature called 'device redirection,' which allows you to connect your local drives, printers, the Windows clipboard, ports, and other devices with the remote host, which are then accessible in your remote desktop sessions.
If the local C: drive was shared via device redirection, it would be accessible as the 'tsclientc' share in the RDP session, which can then be used to access locally stored files from the remote Windows desktop.
The threat actors infect remote desktop servers with a custom RDStealer malware that takes advantage of this device redirection feature.
Upon activation, RDStealer enters an infinite loop of calling the "DiskMounted" function, which checks for the availability of the C, D, E, F, G, or H drives on the tsclient network shares.