Russian hackers use RDP proxies to steal data in MiTM attacks

Share:

The Russian hacking group tracked as APT29 (aka “Midnight Blizzard”) is using a network of 193 remote desktop protocol proxy servers to perform man-in-the-middle (MiTM) attacks to steal data and credentials and to install malicious payloads.

The MiTM attacks utilized the PyRDP red team proxy tool to scan the victims’ filesystems, steal data in the background, and remotely execute rogue applications on the breached environment.

Trend Micro, which tracks the threat actors as ‘Earth Koshchei,’ reports that this campaign targets government and military organizations, diplomatic entities, IT and cloud service providers, and telecommunication and cybersecurity companies.

The domain names registered for the campaign suggest that APT29 targeted entities primarily in the U.S., France, Australia, Ukraine, Portugal, Germany, Israel, France, Greece, Turkey, and the Netherlands.

Using PyRDP for MitM attacks

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to remotely access and control another computer over a network. It is commonly used for remote administration, technical support, and connecting to systems in enterprise environments.

In October 2024, Amazon and CERT-UA published reports confirming that APT29 is tricking victims into connecting to rogue RDP servers after running a file attached to phishing emails.

Once the connection is set up, local resources, including disks, networks, printers, the clipboard, audio devices, and COM ports, are shared with the attacker-controlled RDP server, enabling them unconditional access to sensitive information.

Trend Micro’s latest report reveals more details about this activity after identifying 193 RDP proxy servers that redirected connections to 34 attacker-controlled backend servers, allowing the attackers to monitor and intercept RDP sessions.

The hackers use a Python “man-in-the-middle” MitM red team tool called PyRDP to intercept all communication between the victim and the remote session, allowing the connection to appear legitimate.

The tool allows the attackers to log plaintext credentials or NTLM hashes, steal clipboard data, steal transferred files, steal data from shared drives in the background, and run console or PowerShell commands on new connections.

The researchers explain that this technique was first described by Mike Felch in 2022, who may have inspired APT29’s tactics.

“Upon establishing the connection, the rogue server mimics the behavior of a legitimate RDP server and exploits the session to carry out various malicious activities,” explains Trend Micro

“A primary attack vector involves the attacker deploying malicious scripts or altering system settings on the victim’s machine.”

“Additionally, the PyRDP proxy facilitates access to the victim’s file system, enabling the attacker to browse directories, read or modify files, and inject malicious payloads.

Overview of the RDP session interception
RDP session interception
Source: Trend Micro

Among the malicious configurations Trend Micro analyzed, there’s also one that serves the user with a misleading AWS Secure Storage Connection Stability Test connection request.

Deceptive connection request
Deceptive connection request
Source: Trend Micro

Regarding APT29’s evasion, the researchers report that the Russian hackers use a combination of commercial VPN products accepting cryptocurrency payments, TOR exit nodes, and residential proxy services to obscure the IP addresses of the rogue RDP servers.

Overview of infrastructure obfuscation
Overview of infrastructure obfuscation
Source: Trend Micro

Defending against rogue RDP configurations requires a good response to malicious emails, which, in this case, were sent from legitimate addresses compromised before the campaign’s launch.

Even more important, Windows users should only make RDP connections to known, trusted servers and never utilize RDP connections sent via email attachments.

Leave a Comment

Your email address will not be published. Required fields are marked *

loader-image
Austria, AT
12:46 am, Dec 28, 2024
weather icon 1°C
L: 1° H: 1°
broken clouds
Humidity 82 %
Pressure 1034 mb
Wind 6 mph SSE
Wind Gust Wind Gust: 4 mph
UV Index UV Index: 0
Precipitation Precipitation: 0 mm
Clouds Clouds: 73%
Rain Chance Rain Chance: 0%
Visibility Visibility: 10 km
Sunrise Sunrise: 7:53 am
Sunset Sunset: 4:23 pm
DailyHourly
Daily ForecastHourly Forecast
Scroll to Top