Russische Hacker nutzen RDP-Proxys zum Datendiebstahl bei MiTM-Angriffen

Teilen:

The Russian hacking group tracked as APT29 (aka “Midnight Blizzard”) is using a network of 193 remote desktop protocol proxy servers to perform man-in-the-middle (MiTM) attacks to steal data and credentials and to install malicious payloads.

The MiTM attacks utilized the PyRDP red team proxy tool to scan the victims’ filesystems, steal data in the background, and remotely execute rogue applications on the breached environment.

Trend Micro, which tracks the threat actors as ‘Earth Koshchei,’ reports that this campaign targets government and military organizations, diplomatic entities, IT and cloud service providers, and telecommunication and cybersecurity companies.

The domain names registered for the campaign suggest that APT29 targeted entities primarily in the U.S., France, Australia, Ukraine, Portugal, Germany, Israel, France, Greece, Turkey, and the Netherlands.

Using PyRDP for MitM attacks

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to remotely access and control another computer over a network. It is commonly used for remote administration, technical support, and connecting to systems in enterprise environments.

In October 2024, Amazon and CERT-UA published reports confirming that APT29 is tricking victims into connecting to rogue RDP servers after running a file attached to phishing emails.

Once the connection is set up, local resources, including disks, networks, printers, the clipboard, audio devices, and COM ports, are shared with the attacker-controlled RDP server, enabling them unconditional access to sensitive information.

Trend Micro’s latest report reveals more details about this activity after identifying 193 RDP proxy servers that redirected connections to 34 attacker-controlled backend servers, allowing the attackers to monitor and intercept RDP sessions.

The hackers use a Python “man-in-the-middle” MitM red team tool called PyRDP to intercept all communication between the victim and the remote session, allowing the connection to appear legitimate.

The tool allows the attackers to log plaintext credentials or NTLM hashes, steal clipboard data, steal transferred files, steal data from shared drives in the background, and run console or PowerShell commands on new connections.

The researchers explain that this technique was first described by Mike Felch in 2022, who may have inspired APT29’s tactics.

“Upon establishing the connection, the rogue server mimics the behavior of a legitimate RDP server and exploits the session to carry out various malicious activities,” explains Trend Micro

“A primary attack vector involves the attacker deploying malicious scripts or altering system settings on the victim’s machine.”

“Additionally, the PyRDP proxy facilitates access to the victim’s file system, enabling the attacker to browse directories, read or modify files, and inject malicious payloads.

Overview of the RDP session interception
RDP session interception
Source: Trend Micro

Among the malicious configurations Trend Micro analyzed, there’s also one that serves the user with a misleading AWS Secure Storage Connection Stability Test connection request.

Deceptive connection request
Deceptive connection request
Source: Trend Micro

Regarding APT29’s evasion, the researchers report that the Russian hackers use a combination of commercial VPN products accepting cryptocurrency payments, TOR exit nodes, and residential proxy services to obscure the IP addresses of the rogue RDP servers.

Overview of infrastructure obfuscation
Overview of infrastructure obfuscation
Source: Trend Micro

Defending against rogue RDP configurations requires a good response to malicious emails, which, in this case, were sent from legitimate addresses compromised before the campaign’s launch.

Even more important, Windows users should only make RDP connections to known, trusted servers and never utilize RDP connections sent via email attachments.

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
4:48 am, Juli 14, 2025
Wetter-Symbol 18°C
L: 17° | H: 19°
wenige Wolken
Luftfeuchtigkeit: 78 %
Druck: 1011 mb
Wind: 6 mph S
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 20%
Regen Chance: 0%
Sichtbarkeit: 9 km
Sonnenaufgang: 4:59 am
Sonnenuntergang: 9:12 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
17° | 19°°C 0 mm 0% 18 mph 79 % 1015 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
15° | 20°°C 1 mm 100% 15 mph 78 % 1016 mb 0 mm/h
Mi. Juli 16 10:00 pm
Wetter-Symbol
14° | 27°°C 0.2 mm 20% 14 mph 73 % 1017 mb 0 mm/h
Do. Juli 17 10:00 pm
Wetter-Symbol
18° | 26°°C 1 mm 100% 8 mph 80 % 1017 mb 0 mm/h
Fr. Juli 18 10:00 pm
Wetter-Symbol
19° | 30°°C 0 mm 0% 12 mph 79 % 1015 mb 0 mm/h
Today 7:00 am
Wetter-Symbol
17° | 18°°C 0 mm 0% 9 mph 79 % 1011 mb 0 mm/h
Today 10:00 am
Wetter-Symbol
20° | 20°°C 0 mm 0% 11 mph 60 % 1012 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
23° | 23°°C 0 mm 0% 15 mph 39 % 1013 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
25° | 25°°C 0 mm 0% 18 mph 28 % 1013 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
22° | 22°°C 0 mm 0% 15 mph 30 % 1013 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
19° | 19°°C 0 mm 0% 9 mph 45 % 1015 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
16° | 16°°C 0 mm 0% 8 mph 61 % 1016 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
15° | 15°°C 0 mm 0% 8 mph 72 % 1016 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€102,709.17
1.87%
Ethereum(ETH)
€2,589.46
2.34%
XRP(XRP)
€2.51
5.38%
Fesseln(USDT)
€0.86
0.01%
Solana(SOL)
€142.67
3.41%
USDC(USDC)
€0.86
0.00%
Dogecoin(DOGE)
€0.174375
2.60%
Shiba Inu(SHIB)
€0.000012
3.37%
Pepe(PEPE)
€0.000011
3.95%
Peanut das Eichhörnchen(PNUT)
€0.249943
8.87%
Nach oben scrollen