In a sophisticated cyber espionage campaign targeting European government and military institutions, hackers believed to be associated with Russian state actors have been exploiting Windows Remote Desktop Protocol (RDP) files to gain unauthorized access to systems. The Google Threat Intelligence Group (GTIG) has identified this campaign, attributing it to a group designated as UNC5837.
Beginning in October 2024, this campaign employed phishing emails containing malicious .rdp file attachments. When executed, these files initiated RDP connections from the victim’s machine to attacker-controlled servers without displaying the usual interactive session warnings. This technique, referred to as Rogue RDP by GTIG, enabled attackers to access victims’ file systems, clipboard data, and system variables under the guise of legitimate application checks.
Resource Redirection and RemoteApps
The phishing emails were crafted to appear as communications from reputable organizations such as Amazon and Microsoft. To evade security measures, the attached .rdp files were signed with valid SSL certificates, reducing the likelihood of detection. These files were configured to map resources from the victim’s machine to the attacker’s server, facilitating two primary attack vectors:
1. Drive and Clipboard Redirection: The configuration granted attackers read/write access to all victim drives, exposing file systems, environment variables, and clipboard data, including user-copied passwords. In virtual machine environments, clipboard synchronization between host and guest systems further expanded the potential for data theft.
2. Deceptive RemoteApps: Instead of presenting a full desktop session, victims encountered a windowed application labeled AWS Secure Storage Connection Stability Test. This RemoteApp, hosted entirely on attacker servers, masqueraded as a local tool while operating within the encrypted RDP session.
Notably, the attackers utilized Windows environment variables (%USERPROFILE%, %COMPUTERNAME%) as command-line arguments to the RemoteApp, enabling reconnaissance without deploying traditional malware. This approach minimized the attack’s footprint, complicating detection and analysis efforts.
Potential Use of PyRDP
GTIG also highlighted the potential use of an RDP proxy tool like PyRDP, which could automate tasks such as file exfiltration, clipboard capture, and session hijacking. While direct evidence linking PyRDP to this specific campaign is lacking, its capabilities align with the observed attack vectors:
– Credential Theft: Capturing credentials used to authenticate to RDP servers.
– Clipboard Monitoring: Intercepting clipboard content, which may include sensitive information like passwords.
– Command Execution: Executing commands on the RDP server, potentially leading to further system compromise.
Defensive Measures
Detecting such attacks is challenging due to limited native logging. However, organizations can monitor for key indicators, including:
– Registry Artifacts: Presence of attacker IPs and usernames in `HKEY_USERS\…\Terminal Server Client\Servers`.
– Temporary Files: MSTSC-generated .tmp files located in `%APPDATA%\Local\Temp`.
– Suspicious Processes: Unusual processes initiated by the RDP client.
To mitigate the risk of such attacks, organizations should implement the following measures:
– Email Filtering: Deploy robust email filtering tools to identify and block malicious attachments.
– User Education: Educate users to exercise caution when handling email attachments, especially those from unknown sources.
– Disable Shortcut Execution: Consider disabling the execution of shortcut files (.lnk) received via email.
– Monitor User Account Control (UAC): Regularly review UAC settings for unauthorized changes.
– Enhance RDP Security: Strengthen RDP security by enabling Network Level Authentication (NLA) and implementing multi-factor authentication (MFA).
By proactively securing remote access protocols and educating users on potential threats, organizations can reduce the risk of unauthorized access and data breaches.
