Attacks exploiting the Windows Remote Desktop Protocol have been launched by Russia-nexus threat operation UNC5837 against European government and military organizations as part of a cyberespionage-focused phishing campaign discovered in October, reports Cybernews.
Malicious emails purporting to be from a joint Amazon, Microsoft, and Ukrainian government project were leveraged by UNC5837 to distribute an .rdp file dubbed "AWS Secure Storage Connection Stability Test," which when executed triggers an outbound RDP session and another remote desktop window displayed by RemoteApp, according to a Google Threat Intelligence Group report. Attackers would then be able to use the ongoing RDP session to infiltrate local drives and clipboards, from which various sensitive details could be exfiltrated, as well as compromise audio devices, printers, ports, and smartcards, said Google Threat Intelligence Group researchers, who suggested the potential abuse of the open-source RDP proxy PyRDP as part of the covert intrusions. Such findings come after more than half of ransomware attacks were reported by Malwarebytes to have stemmed from RDP compromise.
Malicious emails purporting to be from a joint Amazon, Microsoft, and Ukrainian government project were leveraged by UNC5837 to distribute an .rdp file dubbed "AWS Secure Storage Connection Stability Test," which when executed triggers an outbound RDP session and another remote desktop window displayed by RemoteApp, according to a Google Threat Intelligence Group report. Attackers would then be able to use the ongoing RDP session to infiltrate local drives and clipboards, from which various sensitive details could be exfiltrated, as well as compromise audio devices, printers, ports, and smartcards, said Google Threat Intelligence Group researchers, who suggested the potential abuse of the open-source RDP proxy PyRDP as part of the covert intrusions. Such findings come after more than half of ransomware attacks were reported by Malwarebytes to have stemmed from RDP compromise.
