Russische Hacker nutzen RDP-Proxys zum Datendiebstahl bei MiTM-Angriffen

Teilen:

The Russian hacking group tracked as APT29 (aka “Midnight Blizzard”) is using a network of 193 remote desktop protocol proxy servers to perform man-in-the-middle (MiTM) attacks to steal data and credentials and to install malicious payloads.

The MiTM attacks utilized the PyRDP red team proxy tool to scan the victims’ filesystems, steal data in the background, and remotely execute rogue applications on the breached environment.

Trend Micro, which tracks the threat actors as ‘Earth Koshchei,’ reports that this campaign targets government and military organizations, diplomatic entities, IT and cloud service providers, and telecommunication and cybersecurity companies.

The domain names registered for the campaign suggest that APT29 targeted entities primarily in the U.S., France, Australia, Ukraine, Portugal, Germany, Israel, France, Greece, Turkey, and the Netherlands.

Using PyRDP for MitM attacks

Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows users to remotely access and control another computer over a network. It is commonly used for remote administration, technical support, and connecting to systems in enterprise environments.

In October 2024, Amazon and CERT-UA published reports confirming that APT29 is tricking victims into connecting to rogue RDP servers after running a file attached to phishing emails.

Once the connection is set up, local resources, including disks, networks, printers, the clipboard, audio devices, and COM ports, are shared with the attacker-controlled RDP server, enabling them unconditional access to sensitive information.

Trend Micro’s latest report reveals more details about this activity after identifying 193 RDP proxy servers that redirected connections to 34 attacker-controlled backend servers, allowing the attackers to monitor and intercept RDP sessions.

The hackers use a Python “man-in-the-middle” MitM red team tool called PyRDP to intercept all communication between the victim and the remote session, allowing the connection to appear legitimate.

The tool allows the attackers to log plaintext credentials or NTLM hashes, steal clipboard data, steal transferred files, steal data from shared drives in the background, and run console or PowerShell commands on new connections.

The researchers explain that this technique was first described by Mike Felch in 2022, who may have inspired APT29’s tactics.

“Upon establishing the connection, the rogue server mimics the behavior of a legitimate RDP server and exploits the session to carry out various malicious activities,” explains Trend Micro

“A primary attack vector involves the attacker deploying malicious scripts or altering system settings on the victim’s machine.”

“Additionally, the PyRDP proxy facilitates access to the victim’s file system, enabling the attacker to browse directories, read or modify files, and inject malicious payloads.

Overview of the RDP session interception
RDP session interception
Source: Trend Micro

Among the malicious configurations Trend Micro analyzed, there’s also one that serves the user with a misleading AWS Secure Storage Connection Stability Test connection request.

Deceptive connection request
Deceptive connection request
Source: Trend Micro

Regarding APT29’s evasion, the researchers report that the Russian hackers use a combination of commercial VPN products accepting cryptocurrency payments, TOR exit nodes, and residential proxy services to obscure the IP addresses of the rogue RDP servers.

Overview of infrastructure obfuscation
Overview of infrastructure obfuscation
Source: Trend Micro

Defending against rogue RDP configurations requires a good response to malicious emails, which, in this case, were sent from legitimate addresses compromised before the campaign’s launch.

Even more important, Windows users should only make RDP connections to known, trusted servers and never utilize RDP connections sent via email attachments.

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
5:56 pm, Juli 5, 2025
Wetter-Symbol 21°C
L: 20° | H: 22°
overcast clouds
Luftfeuchtigkeit: 73 %
Druck: 1012 mb
Wind: 14 mph WSW
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 100%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:50 am
Sonnenuntergang: 9:19 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
20° | 22°°C 0.2 mm 20% 12 mph 74 % 1012 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
17° | 22°°C 1 mm 100% 10 mph 82 % 1011 mb 0 mm/h
Mo. Juli 07 10:00 pm
Wetter-Symbol
14° | 21°°C 0.2 mm 20% 13 mph 80 % 1015 mb 0 mm/h
Di. Juli 08 10:00 pm
Wetter-Symbol
13° | 25°°C 0 mm 0% 10 mph 74 % 1020 mb 0 mm/h
Mi. Juli 09 10:00 pm
Wetter-Symbol
16° | 28°°C 0 mm 0% 9 mph 50 % 1023 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
20° | 21°°C 0 mm 0% 12 mph 73 % 1012 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
20° | 21°°C 0.2 mm 20% 10 mph 74 % 1012 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
19° | 20°°C 0 mm 0% 8 mph 77 % 1011 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
17° | 17°°C 0 mm 0% 7 mph 82 % 1008 mb 0 mm/h
Tomorrow 7:00 am
Wetter-Symbol
17° | 17°°C 0 mm 0% 7 mph 79 % 1007 mb 0 mm/h
Tomorrow 10:00 am
Wetter-Symbol
18° | 18°°C 0.03 mm 3% 8 mph 73 % 1006 mb 0 mm/h
Tomorrow 1:00 pm
Wetter-Symbol
19° | 19°°C 1 mm 100% 10 mph 77 % 1006 mb 0 mm/h
Tomorrow 4:00 pm
Wetter-Symbol
22° | 22°°C 0.97 mm 97% 10 mph 47 % 1005 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€91,640.20
0.25%
Ethereum(ETH)
€2,121.08
0.56%
Fesseln(USDT)
€0.85
-0.01%
XRP(XRP)
€1.88
0.30%
Solana(SOL)
€124.06
0.26%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.138141
0.21%
Shiba Inu(SHIB)
€0.000009
1.30%
Pepe(PEPE)
€0.000008
0.82%
Nach oben scrollen