Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Espionage Campaign Mainly Targeted European Organizations
A Russian nation state threat actor exploited “lesser known” features of Microsoft Windows remote desktop protocol to target European organizations for espionage.
See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It
Google Threat Intelligence Group on Monday said a Russian nation state group it tracks as UNC5837 was observed using the feature for reading victim drives, stealing files and capturing clipboard data.
“Unlike typical RDP attacks focused on interactive sessions, this campaign creatively leveraged resource redirection. Evidence suggests this campaign may have involved the use of an RDP proxy tool like PyRDP to automate malicious activities,” Google said in an update on the campaign, first disclosed by Amazon in October 2024.
The campaign used two “lesser known” RDP features – using RDP for deploying a malicious application and for accessing data from victims. The hackers mainly targeted European government and military organizations, Google said.
The attacks began with the hackers sending victims phishing emails on projects related to Amazon, Microsoft, the Ukrainian State Secure Communications and Information Security Agency.
“The email included a signed .rdp file attachment purporting to be an application relevant to the described project,” Google said.
When the victims executed the file, RDP connections were established from the infected machines to the command and control servers of the hackers. The .rdp file was signed with a web certificate, helping the attackers evade detection, Google said.
In the next stage of the attacks, hackers deployed a malicious app disguised as an AWS Secure Storage Connection Stability Test on the infected devices. Google is unclear about the exact purpose of the app but said it was likely used by the hackers for phishing or to trick the victims into enabling the file.
Once enabled, the hackers obtained read and write capabilities on the victim devices, allowing the hackers to steal files and capture clipboard data. Google estimates hackers may have used PyRDP, an open-source RDP proxy tool, for automation capabilities, potentially for stealing hashed passwords.
“This campaign once again underscores how readily available red teaming tools intended for education purposes are weaponized by malicious actors with harmful intentions,” Google added.
To prevent further attacks using an RDP, Google recommends limiting file read activity on Windows devices, blocking outgoing RDP traffic to public IP addresses at network level, as well as blocking .rdp file extensions in email attachments.