One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8660749 |
| Date de publication | 2025-04-07 12:00:00 (vue: 2025-04-07 15:07:08) |
| Titre | Protocole de bureau à distance Windows: Remote à Rogue Windows Remote Desktop Protocol: Remote to Rogue |
| Texte | Written by: Rohit Nambiar
Executive Summary In October 2024, Google Threat Intelligence Group (GTIG) observed a novel phishing campaign targeting European government and military organizations that was attributed to a suspected Russia-nexus espionage actor we track as UNC5837. The campaign employed signed .rdp file attachments to establish Remote Desktop Protocol (RDP) connections from victims\' machines. Unlike typical RDP attacks focused on interactive sessions, this campaign creatively leveraged resource redirection (mapping victim file systems to the attacker servers) and RemoteApps (presenting attacker-controlled applications to victims). Evidence suggests this campaign may have involved the use of an RDP proxy tool like PyRDP to automate malicious activities like file exfiltration and clipboard capture. This technique has been previously dubbed as “Rogue RDP.” The campaign likely enabled attackers to read victim drives, steal files, capture clipboard data (including passwords), and obtain victim environment variables. While we did not observe direct command execution on victim machines, the attackers could present deceptive applications for phishing or further compromise. The primary objective of the campaign appears to be espionage and file theft, though the full extent of the attacker\'s capabilities remains uncertain. This campaign serves as a stark reminder of the security risks associated with obscure RDP functionalities, underscoring the importance of vigilance and proactive defense. Introduction Remote Desktop Protocol (RDP) is a legitimate Windows service that has been well researched by the security community. However, most of the security community\'s existing research is focused on the adversarial use of RDP to control victim machines via interactive sessions. This campaign included use of RDP that was not focused on interactive control of victim machines. Instead, adversaries leveraged two lesser-known features of the RDP protocol to present an application (the nature of which is currently unknown) and access victim resources. Given the low prevalence of this tactic, technique, and procedure (TTP) in previous reporting, we seek to explore the technical intricacies of adversary tradecraft abusing the following functionality of RDP: RDP Property Files (.rdp configuration files) Resource redirection (e.g. mapping victim file systems to the RDP server) |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | $lets $rdp /local /local/temp 0igtaOCah0WGGIZMA4GA1Uddweb/WQE 1000 1027: 1029: 10: 1102: 11: 120 12: 13: 14: 15: 168 192 1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881 20000 2024 20kb 255 2s74Cvz6alzvjHurh3711hkoj/ndz1hGA 3000 3389:3389 4060845865 4272539574 4EfgqumlyavqbyzUglnnsbp3za+wgrfwwwwwwwwydvrr0j 5000 869095189 |
| Tags | Malware Tool Vulnerability Threat Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.