The Google Threat Intelligence Group (GTIG) has uncovered a sophisticated phishing campaign targeting government and military organizations across Europe. The campaign is attributed to a suspected Russia-based espionage group known as UNC5837. The attackers employed a novel technique using signed Remote Desktop Protocol (RDP) file attachments to establish covert connections to the victims' systems.
The attackers used RDP’s features, such as resource redirection and RemoteApps, to establish a more persistent and subtle foothold within compromised systems. This allowed the intruders to map the victim's file systems to their own servers and even present attacker-controlled applications to the user.
The cyberattack appears to be the latest in a series of advanced espionage operations aimed at stealing sensitive data from high-value targets, with a focus on file exfiltration and intelligence gathering. The threat actors likely utilized an RDP proxy tool, such as PyRDP, to automate malicious actions, including capturing clipboard data, stealing files, and obtaining victim environment variables. This approach, known in the security community as ‘Rogue RDP,’ provides the attacker with significant control over the compromised system without directly executing commands.
The campaign was first reported by the Computer Emergency Response Team of Ukraine (CERT-UA) on October 29, 2024. According to CERT-UA, the campaign involved mass-distributed phishing emails targeting government agencies and other Ukrainian organizations. The emails, which appeared to be related to a collaboration between Amazon, Microsoft, and the Ukrainian State Secure Communications and Information Security Agency, contained a signed RDP file attachment designed to initiate a connection to the attacker’s remote server. The emails falsely assured recipients that no personal data would be requested and that any errors generated by running the attachment should be ignored.
The .rdp file, when executed, initiated a remote connection that provided the attacker with access to the victim’s drives and clipboard content. The file was signed with a Let’s Encrypt certificate issued to the domain used in the RDP connection. In addition, the RDP configuration file employed the RemoteApp feature, which presented a seemingly legitimate application titled ‘AWS Secure Storage Connection Stability Test.’ The fake application was hosted on the attacker’s server and appeared on the victim’s machine as if it were a locally installed program.
While not fully confirmed, it is suspected that the attack involved PyRDP, an open-source RDP proxy tool, which could automate the malicious activities such as exfiltrating sensitive data and capturing clipboard contents.
“Evidence suggests this campaign may have involved the use of an RDP proxy tool like PyRDP to automate malicious activities like file exfiltration and clipboard capture,” Google said noting that the technique has been previously dubbed as “Rogue RDP.”
