The term “data is the new oil” has never been more familiar now. In this day and age, data is everything. Your personal information, including asset keys and passwords, is always valuable to cybercriminals as they can gain a lot from them.
Thus, keeping your data safe and secure is highly important as they hold the key to enter your personal secrets, financial assets, and many others. Keeping yourself protected against stealer malware, a kind of malware used to steal credentials, should be a top priority.
However, the task of establishing good cybersecurity measures has become more challenging as BitDefender Labs has discovered RDStealer, a stealer malware that specifically targets remote desktop connections. So, if you’re using a remote desktop protocol, knowing that you’ve been targeted or infected is really important.
Fortunately, there are some ways you can do to deal with the stealer malware if you find out that you’re infected. Check the explanation below!
What Is Stealer Malware
Before telling much further about remote desktop protection, let us first understand what stealer malware is. Stealer malware is an example of malware and part of cybercrime that can threaten internet users. For information, malware is software that is designed in such a way with the aim of harming or damaging a device.
In stealer malware, the virus or malware tries to steal transaction data for financial gain. This malware will enter via email attachments or untrusted websites; therefore, you should not carelessly click or visit sites. Because, usually, the website will trick you into downloading and installing the application.
So, what are the data stolen through malware stealer? Some of the data stolen through stealer malware, including:
- Credit or debit card data is commonly used online.
- User ID and application password.
- Passwords are automatically saved in the browser.
- Managed usernames or usernames and passwords on the device.
- FTP user accounts and passwords, as well as screenshots from desktop devices.
- Data is stored on devices, whether computers, laptops, or mobile phones.
Kinds of Stealer Malware
Stealer or also known as Infostealer, is a piece of malicious software (malware) that tries to steal information. In some cases, this malware usually steals information that can generate money for the attackers. A standard form of information theft involves collecting login information, such as usernames and passwords, which are sent to other systems via email or over a network.
After stealing sensitive information from a person’s system, Stealer sends that information to the threat actor so that the threat actor or attacker can blackmail the victim and demand money or sell the victim’s statement on the black market and Dark Web Forums such as Raidforums, Hackforums, and black markets like Genesis to sell stolen data.
Based on the Attack Landscape Update report made by F-Secure on March 30, 2021, Stealer and Automated Recon are included in the Trending Threats category along with Ransomware 2.0 and Dodging detection
The first stealer malware example is Formbooks. It’s a stealer Trojan used specifically to steal users’ sensitive information. Formbooks is actually the basic stealer malware that is often used by low technical skill hackers that have limited programming capabilities. The reason is probably because it’s easier to use and apply compared to other types of stealer malware.
The way Formbooks is shared is through email campaigns, which will often land on someone completely random. This kind of email is shared in bulk with as many people as possible. It’s like phishing, basically. In the email, the hacker will plant a certain file containing the malware. It could be in the form of DOC, PDF, ZIP, or any other type of file.
Once it’s downloaded and installed on the victim’s computer, Formbooks will do its job immediately by stealing the user’s data from the inside.
Racoon is another type of stealer malware that was first introduced by an anonymous “raccoonstealer”. What this malware does is steal any stored data within a browser, like browsing history, cookies, autofill data, and even users’ credentials. Aside from targetting browsers, Racoon is also infecting crypto wallets.
As it can be considered really harmful, users are advised to have at least an additional protection. How? By installing a VPN. With VPN, you can even get dynamic IP addresses to fulfill various purposes. Note that dynamic IP addresses are safer. So that’s why having a VPN is at least a must, especially if you tend to use the internet a lot.
Another type of information-stealing malware is AZORult. What this malware does is infect the victim’s computer and then extract its data. Using the data from the computer, AZORult will create a new unique ID and use it to make encryption using XOR. This ID will be used later to send a request to C2.
The C2 server will respond back with information containing the browser name, and the data contained there, including the API, path info, queries, and DLLs. And now that the data has been obtained, hackers can collect the previously packed information. Other than that, this malware can also download and open additional software, which can make the condition worsened.
Now, there’s a specific stealer malware called RDStealer. This malware is often used by hackers to steal login credentials by directly infecting the RDP server and, at the same monitoring all things that go in there. It uses Logutil as a backdoor to infect remote desktops and opens the access via RDStealer installation from the client side.
When a remote device is connected to a server and the CDM is activated, this malware will scan that device to obtain key information, such as browser passwords, SSH keys, database passwords, and many more. At the same time, it also implements a keylogger to capture keystrokes and the data stored in the clipboard.
What makes RDStealer Malware even more dangerous is that this malware will work whether the system is client-side or server-side. When this malware infects a certain network, it’ll birth new malicious files in important folders, like Program Files and System 32. Why? Because these folders are often avoided by malware scans.
How to Deal With Stealer Malware
As a step to reduce the impact obtained from existing vulnerabilities, the National Cyber Security Center (NCSC) provides several suggestions that users must do if the user’s organization has been infected with malware in the form of Stealer, Ransomware, RAT, or others. In general, the steps to reduce the impact obtained will be explained as follows:
- First, disconnect any devices, including the remote desktops, from the network connections. Whether it’s wired or wireless doesn’t matter. The point is to keep those devices away from the network
- Try to disable the Wifi connection for a while, and be further away from the internet, at least for a while
- Try to reset the passwords, including the administrator passwords and other important accounts. Make sure that you won’t be locked out of the system.
- Additionally, wipe the infected device and perform an OS reinstall.
- Before restoring data using data backup (Backup Data), verify that the data is free of any malware and only allowed to restore if the data backup and the connected device is clean against malware.
- Connect the device to a network that is not infected with malware to download, install and update the OS and all other software. After that, do Install, update and run the antivirus software.
- Reconnect the device to the network and monitor network traffic and run an antivirus scan to identify if any malware infections are still present.