Summary: A Google Threat Intelligence Group report reveals a sophisticated phishing campaign attributed to UNC5837, a suspected Russia-nexus actor, targeting European government and military organizations through innovative use of Remote Desktop Protocol (RDP). The attackers employed signed .rdp files and leveraged lesser-known RDP features to redirect victim resources and capture sensitive data, bypassing traditional security warnings. This campaign highlights the risks associated with underutilized RDP functionalities in espionage activities.
Affected: European government and military organizations
Keypoints :
- Attackers used signed .rdp file attachments to create connections while redirecting victims’ file systems to their servers.
- The campaign referred to as βRogue RDPβ allows adversaries to steal files, capture clipboard data, and access environment variables without deploying malware.
- Digital signatures from Letβs Encrypt enabled the phishing files to circumvent standard Windows security warnings, increasing user trust and susceptibility.
Source: https://securityonline.info/rogue-rdp-abusing-rdp-for-file-theft-and-espionage/