A phishing campaign targeting European government and military organizations was observed in October 2024, attributed to a suspected Russian espionage group UNC5837. The attack utilized signed .rdp file attachments to establish Remote Desktop Protocol (RDP) connections, enabling adversaries to redirect victim resources and capture sensitive data without executing commands directly on victim machines. This operation exemplifies the security risks associated with RDP and highlights the need for enhanced vigilance and defensive measures. Affected: European government organizations, military organizations, Ukrainian organizations.
Keypoints :
- Google Threat Intelligence Group reported a phishing campaign in October 2024 targeting government and military entities.
- The campaign employed .rdp file attachments signed with a Let’s Encrypt certificate to bypass security warnings.
- Leveraged lesser-known RDP features, such as resource redirection and RemoteApps, for espionage and file theft.
- Adversaries could read victim drives, steal files, and capture clipboard data including passwords.
- The campaign may have utilized an RDP proxy tool like PyRDP for automating malicious activities.
- The use of deceptive applications allowed attackers to present phishing opportunities without direct command execution on victims’ machines.
MITRE Techniques :
- T1076 – Remote Desktop Protocol (RDP) – The adversaries used signed .rdp files to establish connections to victim machines, allowing them to redirect resources.
- T1021.001 – Remote Services: Remote Desktop Protocol (RDP) – RemoteApps were used to present attacker-controlled applications to victims.
- T1041 – Exfiltration Over Command and Control Channel – File exfiltration was likely facilitated via the established RDP connection.
- T1497 – Virtualization/Sandbox Evasion – The use of RDP tools that can manipulate the connection without direct interaction may have included methods to evade detection.
Indicator of Compromise :
- [File] .rdp file with SHA256: ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46
- [Domain] eu-southeast-1-aws[.]govtr[.]cloud
- [Domain] eu-north-1-aws.ua-gov.cloud
- [Certificate] Let’s Encrypt certificate used to sign the .rdp file
- [Email Address] Phishing emails that mention collaboration with Amazon, Microsoft, and Ukrainian agencies
Full Story: https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol/
Views: 57