Windows Remote Desktop Protocol: Remote to Rogue
Summary:
In October 2024, Google’s Threat Intelligence Group identified a novel phishing campaign attributed to a suspected Russian espionage group, UNC5837, that targeted European government and military entities. This campaign deviated from traditional phishing tactics by weaponizing Remote Desktop Protocol files attached to phishing emails. These .rdp files, digitally signed with Let's Encrypt certificates, established outbound RDP connections from victim machines to attacker-controlled servers. The legitimate appearance of the signatures allowed the attachments to bypass standard Windows security prompts, significantly increasing the likelihood of user execution without suspicion.
Rather than launching full remote desktop sessions, the attackers employed two lesser-known RDP features: resource redirection and RemoteApp. Resource redirection mapped victim resources—like file systems, printers, smart cards, and clipboards to the attacker's environment. Meanwhile, RemoteApp functionality displayed a deceptive application (“AWS Secure Storage Connection Stability Test”) that was hosted on the attacker’s server but appeared as a locally run application on the victim’s machine. This method enabled attackers to interact with the victim’s environment without leaving obvious traces like those from typical remote access tools. The .rdp configuration also passed environment variables to the attacker upon session initiation, enabling reconnaissance. GTIG suggests the attackers may have used PyRDP, an open-source RDP proxy tool designed for man-in-the-middle operations. PyRDP provides automation for credential harvesting, clipboard monitoring, drive enumeration, and session recording or streaming. Notably, PyRDP can freeze a session to execute commands on the RDP server and can plant malicious files on redirected drives, potentially laying the groundwork for follow-up attacks or persistence mechanisms. In this campaign, PyRDP’s ability to bypass the user login prompt by preloading credentials and immediately launching a RemoteApp would have enabled smooth, stealthy execution.
Security Officer Comments:
The phishing emails, reportedly sent in mass to Ukrainian organizations and European agencies, impersonated a collaborative project between Microsoft, Amazon, and a Ukrainian security agency. Recipients were instructed to open the attached .rdp file, which claimed no personal data would be shared and stated that any error messages could be ignored. This social engineering strategy, coupled with technical obfuscation, created a convincing and low-friction path to compromise.
Suggested Corrections:
To defend against these techniques, organizations should:
Link(s):
https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol/
In October 2024, Google’s Threat Intelligence Group identified a novel phishing campaign attributed to a suspected Russian espionage group, UNC5837, that targeted European government and military entities. This campaign deviated from traditional phishing tactics by weaponizing Remote Desktop Protocol files attached to phishing emails. These .rdp files, digitally signed with Let's Encrypt certificates, established outbound RDP connections from victim machines to attacker-controlled servers. The legitimate appearance of the signatures allowed the attachments to bypass standard Windows security prompts, significantly increasing the likelihood of user execution without suspicion.
Rather than launching full remote desktop sessions, the attackers employed two lesser-known RDP features: resource redirection and RemoteApp. Resource redirection mapped victim resources—like file systems, printers, smart cards, and clipboards to the attacker's environment. Meanwhile, RemoteApp functionality displayed a deceptive application (“AWS Secure Storage Connection Stability Test”) that was hosted on the attacker’s server but appeared as a locally run application on the victim’s machine. This method enabled attackers to interact with the victim’s environment without leaving obvious traces like those from typical remote access tools. The .rdp configuration also passed environment variables to the attacker upon session initiation, enabling reconnaissance. GTIG suggests the attackers may have used PyRDP, an open-source RDP proxy tool designed for man-in-the-middle operations. PyRDP provides automation for credential harvesting, clipboard monitoring, drive enumeration, and session recording or streaming. Notably, PyRDP can freeze a session to execute commands on the RDP server and can plant malicious files on redirected drives, potentially laying the groundwork for follow-up attacks or persistence mechanisms. In this campaign, PyRDP’s ability to bypass the user login prompt by preloading credentials and immediately launching a RemoteApp would have enabled smooth, stealthy execution.
Security Officer Comments:
The phishing emails, reportedly sent in mass to Ukrainian organizations and European agencies, impersonated a collaborative project between Microsoft, Amazon, and a Ukrainian security agency. Recipients were instructed to open the attached .rdp file, which claimed no personal data would be shared and stated that any error messages could be ignored. This social engineering strategy, coupled with technical obfuscation, created a convincing and low-friction path to compromise.
Suggested Corrections:
To defend against these techniques, organizations should:
- Block outbound RDP traffic to untrusted external IPs.
- Disable drive and clipboard redirection via Group Policy or Registry edits (DisableDriveRedirection=1).
- Require .rdp file signatures to match a whitelist of trusted certificate thumbprints.
- Prevent execution of unsigned .rdp files via Group Policy.
- Block .rdp attachments in inbound email filters.
- Monitor for file creation by mstsc.exe in non-standard directories.
- Hunt for anomalous clipboard activity during RDP sessions, especially in virtualized environments where clipboard redirection may expose both host and guest data.
Link(s):
https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remote-desktop-protocol/