Rogue RDP campaigns use tools like PyRDP to automate file exfiltration and clipboard theft. This technique enables stealthy espionage operations via compromised remote desktop sessions.
What is Remote Desktop Protocol?
A valid Windows service for facilitating communication between a Terminal Server and a Terminal Server Client is called Remote Desktop Protocol (RDP). It functions on the idea of “virtual channels” that can transport different kinds of data, such as information from a presentation, keyboard and mouse activities, a clipboard, or a serial device. RDP security research has traditionally concentrated on how attackers with legitimate victim credentials might use it to obtain complete graphical user interface (GUI) access to a computer.
Innovative RDP Use in a New Campaign
The Google Threat Intelligence Group (GTIG) discovered a new phishing effort in October 2024 that was linked to UNC5837, a suspected espionage actor with ties to Russia. This campaign used signed.rdp file attachments and was directed at European military and political institutions. Rather than emphasising interactive sessions, this marketing cleverly made use of two obscure RDP protocol features:
- Resource redirection: The process of mapping victim file systems to the attacker’s servers is known as resource redirection.
- RemoteApps: Giving victims access to apps under the attacker’s control.
Evidence points to the possible automation of harmful tasks including file exfiltration and clipboard collection through the use of an RDP proxy program like PyRDP. This method has been known as “Rogue RDP.” This campaign’s main goals seemed to be file stealing and espionage.
Important RDP Features
Configuration files in.rdp format: .rdp configuration files, which provide properties like the IP address to connect to, display settings, and certificate choices, can be used to alter the behaviour of RDP sessions. Running these files is equivalent to setting up an RDP session using the classic GUI (mstsc.exe). Phishing emails including a malware signed.rdp file attachment were utilised in the campaign under observation. When this file was run, it allowed the adversary read and write access to all of the victim’s discs and clipboard contents while also establishing an RDP connection from the victim’s computer.
During a remote desktop session, the resource redirection function enables the use of peripherals and devices that are attached to the local system. Printers, keyboards, mice, discs, serial ports, hardware keys, audio equipment, and clipboards are all included in this. All discs, printers, COM ports, smart cards, WebAuthn requests, clipboards, and point-of-sale (POS) devices were directed to the attacker’s command-and-control (C2) server by the malicious.rdp file in the campaign that was observed. Through Microsoft’s “virtual channels,” resource redirection is made possible, and communication takes place via unique RDP packets (PDUs).
RemoteApps: This optional RDP feature enables programs on the remote server to function on the client (victim) machine as windowed programs. Because of this, a malicious remote application that isn’t installed on the victim’s computer may appear to be local. A fraudulent application called “AWS Secure Storage Connection Stability Test” was presented to the user by the malicious.rdp file in the campaign using RemoteApp.
This application pretended to be a locally installed program and was hosted on the attacker’s RDP server. The session is switched to display this application alone when the remoteapplicationmode option is set to 1. The RDP server owns the resources that RemoteApp uses, but if victim discs are mapped, RemoteApp can also access them. The victim’s computer’s Windows environment variables were also sent to this program as command-line arguments.
PyRDP’s Function
For offensive engagements, PyRDP is an open-source, Python-based man-in-the-middle (MiTM) RDP proxy toolkit. Its automation capabilities make it a viable weapon for such attacks, even though its usage in the reported campaign has not been verified. In order to provide improved capabilities over the connection, PyRDP relays the connection between a victim and an RDP server:
- Theft of plaintext passwords and maybe NTLM hashes.
- The RDP server is executing commands, but not the victim’s computer.
- Taking note of the user’s clipboard.
- Mapping drives and maybe scraping them.
- Taking over, recording, and streaming RDP sessions.
It is crucial to remember that PyRDP provides fine-grained control over the built-in features rather than taking advantage of flaws in the RDP protocol. By providing credentials, PyRDP might have been utilised in the context of the campaign under observation to get around the user login prompt and show the malicious RemoteApp straight away. It might also have clipboard capture and automated file exfiltration.
Risks to Security and Their Consequences
This campaign draws attention to the security threats connected to RDP features that are not as widely known. Because there are fewer forensic artefacts than with other attack channels, it illustrates how attackers can use lawful features for malevolent ends, making detection and incident response more difficult. The attackers were able to access victim discs, steal files, grab clipboard data (including passwords), and obtain victim environment variables, even though direct command execution on victim PCs was not seen. Additionally, using signed.rdp files might get beyond common security alerts, which lessens the suspicion of the attack.
Suggestions to Defenders
The sources offer a number of suggestions for strengthening systems and identifying these kinds of attacks:
Log Artefacts: An understanding of the infrastructure of an attacker can be gained by keeping an eye on registry keys (HKU\…\Microsoft\Terminal Server Client\Servers\) and Windows Event Logs (Event IDs 1102, 1027, 1029). File write activity from C:\Windows\system32\mstsc.exe associated with redirected drives can be tracked with increased logging (e.g., Sysmon); nevertheless, it is important to make sure that harmless temporary files are not included. It’s also advised to use particular regex patterns to identify.rdp files that are being executed straight from email attachments.
The hardening of the system: Security can be improved by putting in place measures like network-level blocking of outgoing RDP traffic to public IPs, registry-based resource redirection disablement, Group Policy-based granular RDP policy configuration (e.g., resource and clipboard redirection management, enforcing Network Level Authentication, and blocking.rdp file extensions as email attachments).
YARA Rules: The given YARA rules can be used to identify questionable RDP configuration files that contain a base64 encoded Let’s Encrypt certificate or that permit resource redirection and RemoteApps.
Concluding remarks
The success of integrating well-known strategies in novel ways is demonstrated by the “Rogue RDP” campaign. Instead than taking advantage of protocol flaws, the risk is in the dishonest exploitation of genuine RDP functionality. Defensive against such attacks and understanding the possibilities of technologies like PyRDP require an understanding of the subtleties of RDP functions, especially resource redirection and RemoteApps.