What happened?
A new phishing campaign believed to have been orchestrated by suspected Russian state threat actors known as UNC5837 has been targeting European military and government organisations, leveraging lesser-known features of the Windows Remote Desktop Protocol to infiltrate systems.
This technique, previously referred to as "Rogue RDP" by Google's Threat Intelligence Group, utilises the distinctive approach of sending phishing emails with .rdp file attachments. These files, once executed, initiate an RDP connection from the victim's machine to an attacker-controlled server without the telltale session warning banners, creatively manipulating resource redirection to silently exfiltrate data from the targeted user's device.
The attackers have been observed sending spoofed emails purporting to be from organisations like Microsoft and Amazon.
So what?
Unlike malware, this approach does not exploit software flaws. Instead, it abuses legitimate features in malicious ways.
Successfully exploiting the Remote Desktop Protocol potentially enables attackers to gain read/write access to the victim's drives, resulting in the exposure of file systems, environment variables, and clipboard data, including user-copied passwords. Furthermore, Virtual Machine setups compound this risk further, as clipboard synchronisation between host and guest systems could facilitate lateral movement between systems.
While traditional ransomware operations encrypt files and demand payment, the primary objective of this campaign appears to be discrete file theft and espionage.
How can I protect myself?
This campaign serves as a reminder of the security risks associated with obscure RDP features, highlighting the need for vigilance and proactive defence.
Implementing general system hardening practices to block outgoing RDP traffic to public IP addresses could assist with mitigating this risk, however this campaign highlights the attacker's reliance on sending .rdp files as email attachments; while there are legitimate business cases for this behaviour, evaluate whether this is necessary within your environment, as blocking the acceptance of these files would assist in reducing your attack surface.
Alternatively, consider implementing advanced logging rules to indicate instances of .rdp files being created in the local AppData directory responsible for storing Outlook attachments.
For more information about this threat, read GTIG's post on the topic here.