Security News > 2023 > June > New RDStealer malware steals from drives shared over Remote Desktop
A cyberespionage and hacking campaign tracked as 'RedClouds' uses the custom 'RDStealer' malware to automatically steal data from drives shared through Remote Desktop connections.
The Remote Desktop Protocol is a proprietary Microsoft protocol that allows users to remotely connect to Windows desktops and use them as if they were in front of the computer.
The Remote Desktop Protocol includes a feature called 'device redirection,' which allows you to connect your local drives, printers, the Windows clipboard, ports, and other devices with the remote host, which are then accessible in your remote desktop sessions.
If the local C: drive was shared via device redirection, it would be accessible as the 'tsclientc' share in the RDP session, which can then be used to access locally stored files from the remote Windows desktop.
The threat actors infect remote desktop servers with a custom RDStealer malware that takes advantage of this device redirection feature.
Upon activation, RDStealer enters an infinite loop of calling the "DiskMounted" function, which checks for the availability of the C, D, E, F, G, or H drives on the tsclient network shares.
News URL
Related news
- Microsoft fixes Remote Desktop issues caused by Windows Server update (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)
- Amazon seizes domains used in rogue Remote Desktop campaign to steal data (source)
- Russian spies use remote desktop protocol files in unusual mass phishing drive (source)