Dell has become an unwitting accomplice in the disguise of intruders.
According to a recent report by Romanian cybersecurity firm Bitdefender, an unnamed East Asian IT company was targeted in a sophisticated cyber attack. The operation, which lasted more than a year, involved malware called RDStealer, written in the Go programming language. The main purpose of the attack was to compromise credentials and steal highly sensitive information from the victim company.
At the initial stage of the operation, the attackers used publicly available remote access Trojans, such as AsyncRAT and Cobalt Strike. Later, they switched to using their own malware for increased evasion from detection.
Attackers actively exploited vulnerabilities in the Microsoft Windows security system and stored malicious modules in folders that are usually excluded from scanning by antivirus programs, such as System32 and Program Files.
So, one of the considered directories used by hackers is the path " C:\Program Files\Dell\CommandUpdate». A legitimate Dell software update application uses just this folder.
In addition, Bitdefender specialists found that all the computers infected during the incident were made by Dell, so the folder selection was targeted and indicates some preparation of attackers before the attack. After all, even if a tech-savvy employee deliberately searches for malware in the system, it is unlikely that they will be able to detect it so easily with such a payload location.
RDStealer specializes in collecting clipboard data and keyboard input. However, its distinctive feature is the ability to track incoming connections via RDP (Remote Desktop Protocol) and compromise the remote machine if Client Drive Mapping is enabled.
The attackers also infected the connected RDP clients with another specialized Go-based malware known as Logutil, which allowed them to maintain a permanent presence on the victim's network and facilitate the execution of malicious commands.
"Cybercriminals are constantly exploring new methods to increase the reliability and invisibility of their malicious actions. This attack is evidence of the increasing complexity of cybercrime operations, " said Marin Zugek, a specialist at Bitdefender.
Even IT companies are often powerless against professional hackers, so it is necessary to constantly improve the level of cybersecurity and employee awareness of possible threats. This is the only way to protect your data and reputation from unwanted consequences.
According to a recent report by Romanian cybersecurity firm Bitdefender, an unnamed East Asian IT company was targeted in a sophisticated cyber attack. The operation, which lasted more than a year, involved malware called RDStealer, written in the Go programming language. The main purpose of the attack was to compromise credentials and steal highly sensitive information from the victim company.
At the initial stage of the operation, the attackers used publicly available remote access Trojans, such as AsyncRAT and Cobalt Strike. Later, they switched to using their own malware for increased evasion from detection.
Attackers actively exploited vulnerabilities in the Microsoft Windows security system and stored malicious modules in folders that are usually excluded from scanning by antivirus programs, such as System32 and Program Files.
So, one of the considered directories used by hackers is the path " C:\Program Files\Dell\CommandUpdate». A legitimate Dell software update application uses just this folder.
In addition, Bitdefender specialists found that all the computers infected during the incident were made by Dell, so the folder selection was targeted and indicates some preparation of attackers before the attack. After all, even if a tech-savvy employee deliberately searches for malware in the system, it is unlikely that they will be able to detect it so easily with such a payload location.
RDStealer specializes in collecting clipboard data and keyboard input. However, its distinctive feature is the ability to track incoming connections via RDP (Remote Desktop Protocol) and compromise the remote machine if Client Drive Mapping is enabled.
The attackers also infected the connected RDP clients with another specialized Go-based malware known as Logutil, which allowed them to maintain a permanent presence on the victim's network and facilitate the execution of malicious commands.
"Cybercriminals are constantly exploring new methods to increase the reliability and invisibility of their malicious actions. This attack is evidence of the increasing complexity of cybercrime operations, " said Marin Zugek, a specialist at Bitdefender.
Even IT companies are often powerless against professional hackers, so it is necessary to constantly improve the level of cybersecurity and employee awareness of possible threats. This is the only way to protect your data and reputation from unwanted consequences.
