Russia-linked threat actor APT29 has been seen repurposing legitimate red teaming attack methodology as part of cyberattacks using malicious Remote Desktop Protocol (RDP) configuration files.
Activities targeting governments and armed forces, think tanks, academic researchers, and Ukrainian organizations entail adopting the “rogue RDP” method that was previously documented Black Hills Information Security in 2022, Trend Micro report says.
“A victim of this technique would give partial control of their machine to an attacker, potentially leading to data leakage and the installation of malware,” researchers Feike Hackebord and Steven Hilt said.
The cyber security company is tracking a threat group under its own alias Earth Koshchei, saying preparations for the campaign began as early as August 7-8, 2024. There were also RDP campaigns spotlights The Emergency Response Team of Ukraine (CERT-UA), Microsoft and Amazon Web Services (AWS) back in October.
The phishing emails were designed to trick recipients into running a malicious RDP configuration file attached to the message, causing their machines to connect to a foreign RDP server through one of the group’s 193 RDP relays. An estimated 200 known victims were killed in one day, indicating the scale of the campaign.
The attack method outlined by Black Hill involves using an open source project called PyRDP – described as a Python-based “Monster-in-the-Middle (MitM) tool and library” – in front of an actually adversary-controlled RDP server to minimize the risk of detection.
Therefore, when a victim opens an RDP file codenamed HUSTLECON from an email, it initiates an outbound RDP connection to the PyRDP relay, which then redirects the session to the malicious server.
“Once a connection is established, the fake server mimics the behavior of a legitimate RDP server and uses the session to perform various malicious activities,” the researchers said. “The primary attack vector involves the attacker deploying malicious scripts or modifying system settings on the victim’s machine.”
To top it all off, the PyRDP proxy allows an attacker to gain access to the victim’s systems, perform file operations, and inject malicious payloads. The attack culminates in the threat actor using a compromised RDP session to steal sensitive data, including credentials and other private information, via a proxy server.
What’s unique about this attack is that data collection is facilitated through a malicious configuration file without the need to deploy custom malware, allowing threat actors to fly under radar.
Another characteristic worth mentioning is the use of anonymization layers such as TOR exit nodes to manage RDP servers, as well as residential proxy providers and commercial VPN services to access legitimate mail servers that were used to send phishing emails.
“Tools like PyRDP enhance the attack by allowing RDP connections to be intercepted and manipulated,” the researchers added. “PyRDP can automatically scan shared drives redirected by the victim and store their contents locally on the attacker’s machine, facilitating seamless data exfiltration.”
“Earth Koshchei uses new methodologies for its espionage campaigns over time. Not only do they pay close attention to old and new vulnerabilities that help them gain initial access, but they also look at the methodologies and tools that red teams develop.”
