Hackers Abuse Windows .RDP Files to Launch Unauthorized Remote Desktop Sessions

The Google Threat Intelligence Group (GTIG) has unearthed a novel phishing campaign leveraging Windows Remote Desktop Protocol (.RDP) files to facilitate unauthorized remote access.

Dubbed “Rogue RDP,” this campaign specifically targeted European government and military organizations in late 2024.

The operation is attributed to a suspected Russia-nexus espionage group, UNC5837, indicating an advanced level of technical sophistication.

This attack showcases new levels of RDP abuse, where signed .RDP files were weaponized to connect victim machines to attacker-controlled systems.

Exploiting RDP features like resource redirection and RemoteApp, the attackers aimed to steal sensitive data and manipulate user behavior without the need for direct control over victim machines.

Leveraging Advanced RDP Functionalities for Espionage

Unlike conventional RDP attacks focused on interactive control, this campaign exploited lesser-known RDP features.

By embedding malicious configurations into signed .RDP files, attackers bypassed initial security prompts and redirected victim file systems and clipboard data to attacker-controlled servers.

The files, disguised as project-related attachments, were distributed via phishing emails, purportedly from respected organizations like Amazon or Microsoft.

Victims unknowingly initiated RDP connections upon executing these files, mapping their system resources to the attackers.

The campaign also employed RemoteApp, presenting a seemingly innocuous application, “AWS Secure Storage Connection Stability Test,” to victims.

This deceptive setup allowed attackers to exfiltrate files, capture clipboard contents, and gather environment variables while maintaining low forensic visibility.

PyRDP: A Potential Tool in the Campaign

Although not definitively linked to the operation, the open-source RDP proxy tool, PyRDP, is suspected to have been utilized to automate activities like session recording, file crawling, and clipboard capture.

PyRDP, designed for offensive security training, can also intercept NTLM hashes and enable session takeover.

Its capabilities align with the campaign’s methodologies, making it an attractive tool for such operations.

The campaign demonstrated exceptional tradecraft, leaving limited artifacts for forensic analysis.

While there was no observed execution of direct commands on victim machines, the attackers gained significant advantages through RDP’s resource redirection.

According to the Report, Clipboard data, including potential passwordsvand mapped drives were exploited, enabling discreet espionage activities.

The advanced use of signed .RDP files also played a pivotal role. The attackers utilized Let’s Encrypt certificates to sign files, eliminating the usual warning banners associated with unsigned files and enhancing credibility.

This added layer of deception underscores the importance of scrutinizing digital signatures and certificate authorities.

Organizations are urged to implement network-level RDP restrictions, disable resource redirection, and enforce strict group policies on .RDP file execution.

Measures like blocking unsigned RDP files and monitoring for unusual configurations can also mitigate risks.

Enhanced logging, employing tools like Sysmon, can provide better visibility into suspicious activities, such as file operations originating from mstsc.exe.

According to Google, this campaign highlights the evolving threat landscape, where attackers recycle existing tools and techniques in innovative ways.

The use of RDP features for espionage purposes demonstrates the need for vigilance and proactive security measures.

As adversaries continue to weaponize legitimate systems, understanding and preparing for unconventional attack vectors like “Rogue RDP” is essential to strengthening enterprise defenses.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!