APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP

Category	Details
Threat Actors	– Russia-linked APT29 (tracked as Earth Koshchei)
Campaign Overview	– Targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities – Using “rogue RDP” technique (previously documented by Black Hills Information Security in 2022) – Affected up to 200 high-profile victims in a single day
Target Regions (Victims)	– Governments – Armed forces – Think tanks and academic researchers – Ukrainian entities
Methodology	– Spear-phishing emails with malicious RDP configuration file attachment – Victim machine connects to PyRDP relay, which redirects to attacker-controlled RDP server – Exploits RDP session for malicious activity (data exfiltration, malware installation) – Uses anonymization tools (e.g., TOR, VPNs, residential proxies)
Product Targeted	– RDP servers
Malware Reference	– PyRDP (Python-based MitM tool)
Tools Used	– PyRDP (Monster-in-the-Middle tool), TOR exit nodes, residential proxy providers, commercial VPN services
Vulnerabilities Exploited	– Uses rogue RDP method for data collection without deploying custom malware
TTPs	– Initial Access: Spear-phishing with malicious RDP config file (T1566) – Execution: Malicious scripts and system alterations (T1059) – Persistence: Compromised RDP session (T1071) – Exfiltration: Data exfiltration via RDP proxy (T1041)
Attribution	– Likely linked to Russian espionage campaigns (APT29, Earth Koshchei)
Recommendations	– Implement strict phishing protections – Block unauthorized RDP connections – Monitor network traffic for anomalies (e.g., unusual RDP sessions) – Use endpoint protection tools to detect and block RDP-based attacks
Source	The Hackers News

Read full article: https://thehackernews.com/2024/12/apt29-hackers-target-high-value-victims.html

The above summary has been generated by an AI language model