The Russia-linked APT29 menace actor has been noticed repurposing a authentic pink teaming assault methodology as a part of cyber assaults leveraging malicious Distant Desktop Protocol (RDP) configuration recordsdata.
The exercise, which has focused governments and armed forces, assume tanks, tutorial researchers, and Ukrainian entities, entails adopting a “rogue RDP” approach that was beforehand documented by Black Hills Data Safety in 2022, Pattern Micro stated in a report.
“A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation,” researchers Feike Hacquebord and Stephen Hilt stated.
The cybersecurity firm is monitoring the menace group underneath its personal moniker Earth Koshchei, stating preparations for the marketing campaign started as early as August 7-8, 2024. The RDP campaigns have been additionally spotlighted by the Laptop Emergency Response Staff of Ukraine (CERT-UA), Microsoft, and Amazon Net Providers (AWS) again in October.
The spear-phishing emails have been designed to deceive recipients into launching a malicious RDP configuration file hooked up to the message, inflicting their machines to connect with a international RDP server by one of many group’s 193 RDP relays. An estimated 200 high-profile victims have been focused in a single day, indicating the size of the marketing campaign.
The assault methodology outlined by Black Hill entails using an open-source venture known as PyRDP – described as a Python-based “Monster-in-the-Middle (MitM) tool and library” – in entrance of the particular adversary-controlled RDP server to reduce the chance of detection.
Thus, when a sufferer opens the RDP file, codenamed HUSTLECON, from the e-mail message, it initiates an outbound RDP connection to the PyRDP relay, which then redirects the session to a malicious server.
“Upon establishing the connection, the rogue server mimics the behavior of a legitimate RDP server and exploits the session to carry out various malicious activities,” the researchers stated. “A primary attack vector involves the attacker deploying malicious scripts or altering system settings on the victim’s machine.”
On prime of that, the PyRDP proxy server allows the attacker to realize entry to the sufferer’s programs, carry out file operations, and inject malicious payloads. The assault culminates with the menace actor leveraging the compromised RDP session to exfiltrate delicate information, together with credentials and different proprietary info, by way of the proxy.
What’s notable about this assault is that the information assortment is facilitated via a malicious configuration file with out having to deploy any customized malware, thereby permitting the menace actors to fly underneath the radar.
One other attribute that deserves a point out is using anonymization layers like TOR exit nodes to regulate the RDP servers, in addition to residential proxy suppliers and business VPN providers to entry authentic mail servers that have been employed to ship the spear-phishing emails.
“Tools like PyRDP enhance the attack by enabling the interception and manipulation of RDP connections,” the researchers added. “PyRDP can automatically crawl shared drives redirected by the victim and save their contents locally on the attacker’s machine, facilitating seamless data exfiltration.”
“Earth Koshchei uses new methodologies over time for their espionage campaigns. They not only pay close attention to old and new vulnerabilities that help them in getting initial access, but they also look at the methodologies and tools that red teams develop.”
