The Russia-linked APT29 threat actor has been observed repurposing a legitimate red teaming attack methodology as part of cyber attacks leveraging malicious Remote Desktop Protocol (RDP) configuration files.
The activity, which has targeted governments and armed forces, think tanks, academic researchers, and Ukrainian entities, entails adopting a “rogue RDP” technique that was previously documented by Black Hills Information Security in 2022, Trend Micro said in a report.
“A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation,” researchers Feike Hacquebord and Stephen Hilt said.
The cybersecurity company is tracking the threat group under its own moniker Earth Koshchei, stating preparations for the campaign began as early as August 7-8, 2024. The RDP campaigns were also spotlighted by the Computer Emergency Response Team of Ukraine (CERT-UA), Microsoft, and Amazon Web Services (AWS) back in October.
The spear-phishing emails were designed to deceive recipients into launching a malicious RDP configuration file attached to the message, causing their machines to connect to a foreign RDP server through one of the group’s 193 RDP relays. An estimated 200 high-profile victims were targeted in a single day, indicating the scale of the campaign.
The attack method outlined by Black Hill entails the use of an open-source project called PyRDP – described as a Python-based “Monster-in-the-Middle (MitM) tool and library” – in front of the actual adversary-controlled RDP server to minimize the risk of detection.
Thus, when a victim opens the RDP file, codenamed HUSTLECON, from the email message, it initiates an outbound RDP connection to the PyRDP relay, which then redirects the session to a malicious server.
“Upon establishing the connection, the rogue server mimics the behavior of a legitimate RDP server and exploits the session to carry out various malicious activities,” the researchers said. “A primary attack vector involves the attacker deploying malicious scripts or altering system settings on the victim’s machine.”
On top of that, the PyRDP proxy server enables the attacker to gain access to the victim’s systems, perform file operations, and inject malicious payloads. The attack culminates with the threat actor leveraging the compromised RDP session to exfiltrate sensitive data, including credentials and other proprietary information, via the proxy.
What’s notable about this attack is that the data collection is facilitated by means of a malicious configuration file without having to deploy any custom malware, thereby allowing the threat actors to fly under the radar.
Another characteristic that deserves a mention is the use of anonymization layers like TOR exit nodes to control the RDP servers, as well as residential proxy providers and commercial VPN services to access legitimate mail servers that were employed to send the spear-phishing emails.
“Tools like PyRDP enhance the attack by enabling the interception and manipulation of RDP connections,” the researchers added. “PyRDP can automatically crawl shared drives redirected by the victim and save their contents locally on the attacker’s machine, facilitating seamless data exfiltration.”
“Earth Koshchei uses new methodologies over time for their espionage campaigns. They not only pay close attention to old and new vulnerabilities that help them in getting initial access, but they also look at the methodologies and tools that red teams develop.”