PyRDP And Rogue RDP: Automating Malicious RDP Exploits

PyRDP automates file exfiltration and clipboard theft for rogue RDP campaigns. This method allows unnoticed spying via hacked remote desktop sessions.

Remote Desktop Protocol?

The Windows service Remote Desktop Protocol (RDP) allows Terminal Servers and Clients to communicate. This system uses “virtual channels” to convey data from presentations, keyboard and mouse actions, clipboards, and serial devices. Traditional RDP security research has focused on how attackers with authentic victim credentials may get full GUI access to a machine.

Innovative New Campaign RDP Use

Google Threat Intelligence Group (GTIG) uncovered a new phishing campaign tied to UNC5837, a suspected Russian espionage actor, in October 2024. This effort targeted European military and political institutions using signed.rdp file attachments. Instead than stressing interactive sessions, this marketing ingeniously used two obscure RDP protocol features:

Resource redirection maps victim file systems to attacker servers.

RemoteApps: Giving victims access to attacker-controlled applications.

RDP proxy programs like PyRDP may automate dangerous actions like file exfiltration and clipboard gathering. This approach is called “Rogue RDP.” This effort focused on file theft and espionage.

Key RDP Features

.rdp configuration files: .rdp configuration files can change RDP session functionality by configuring IP addresses, display settings, and certificate options. These files setup an RDP session like the traditional GUI (mstsc.exe). The observed campaign used phishing emails with malware-signed.rdp file attachments. This file allowed the adversary to read and write all of the victim's discs and clipboard contents and create an RDP connection from the victim's computer.

The resource redirection capability lets remote desktop users utilise local peripherals and devices. This includes printers, keyboards, mouse, discs, serial connections, hardware keys, audio equipment, and clipboards. The observed campaign's malicious.rdp file sent all discs, printers, COM ports, smart cards, WebAuthn requests, clipboards, and POS devices to the attacker's C2 server. Microsoft's "virtual channels" allow resource redirection and RDP packet transmission.

RemoteApps: This optional RDP feature lets remote server apps run as windowed programs on the client (victim). Thus, a malicious remote program that isn't installed on the victim's PC may seem local. Malicious.rdp files in RemoteApp campaigns presented users with a fake “AWS Secure Storage Connection Stability Test” app.

This application was hosted on the attacker's RDP server and looked local. The session displays this application alone when remoteapplicationmode is 1. RemoteApp requires RDP server resources, yet mapped victim CDs allow RemoteApp access. This malware also received the victim's Windows environment variables as command-line arguments.

Function of PyRDP

PyRDP, an open-source Python-based MiTM RDP proxy toolkit, is used offensively. Even if its use in the claimed campaign is unverified, its automation makes it a feasible weapon for such attacks. PyRDP relays the victim-RDP server connection to boost capabilities:

Possible NTLM hash and plaintext password theft.

The RDP server executes commands, not the victim's machine.

Note the user's clipboard.

Mapping and maybe scraping drives.

Controlling, recording, and broadcasting RDP sessions.

PyRDP uses fine-grained control over built-in functionality rather than RDP protocol vulnerabilities. PyRDP might have been used in the campaign under observation to bypass the user login screen and reveal the malicious RemoteApp by giving credentials. Potential features include clipboard capture and automatic file exfiltration.

Security Risks and Effects

This campaign highlights unknown RDP security risks. It shows how attackers may employ lawful characteristics for evil, making identification and incident response harder due to fewer forensic artefacts than other attack routes. Even without direct command execution on target PCs, the attackers were able to access victim discs, steal files, collect clipboard data (including passwords), and steal environment variables. Signed.rdp files may bypass security alarms, reducing attack suspicion.

Advice for Defenders

The sources give several ways to fortify systems and identify these attacks:

Log Artefacts: Monitor registry keys (HKU\…\Microsoft\Terminal Server Client\Servers) and Windows Event Logs (Event IDs 1102, 1027, 1029) to comprehend an attacker's infrastructure. Increased logging (e.g., Sysmon) can track file write activity from C:\Windows\system32\mstsc.exe on redirected discs, however transient files should not be included. You may also use regex patterns to identify.rdp files run from email attachments.

System hardening: Network-level blocking of outgoing RDP traffic to public IPs, registry-based resource redirection disablement, and Group Policy-based granular RDP policy configuration (e.g., resource and clipboard redirection management, enforcing Network Level Authentication, and blocking.rdp file extensions as email attachments) can improve security.

Questionable RDP configuration files with a base64 encoded Let's Encrypt certificate or that allow resource redirection and RemoteApps can be identified using YARA criteria.

Final comments

The “Rogue RDP” campaign shows how to innovate with old tactics. The risk is dishonestly using actual RDP capabilities, not protocol weaknesses. To defend against such assaults and grasp PyRDP's potential, one must understand RDP features, notably resource redirection and RemoteApps.

APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP

Source: https://thehackernews.com/2024/12/apt29-hackers-target-high-value-victims.html

More info: https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html

APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP

http://i.securitythinkingcap.com/TGsJDR

Pyrdp - RDP Man-In-The-Middle And Library For Python3

Pyrdp - RDP Man-In-The-Middle And Library For #Python3 With The Ability To Watch Connections Live Or After The Fact #RDP #MITM

[sc name=”ad_1″]

PyRDP is a Python 3 Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM) and library. It features a few tools:

RDP Man-in-the-Middle

Logs credentials used when connecting

Steals data copied to the clipboard

Saves a copy of the files transferred over the network

Saves replays of connections so you can look at them later

Run console commands or PowerShellpayloads automatically on…

View On WordPress

[Media] ​​PyRDP

​​PyRDP A Python Remote Desktop Protocol (RDP) Monster-in-the-Middle (MITM) tool and library. RDP Monster-in-the-Middle: ▫️ Logs plaintext credentials or NetNTLM hashes used when connecting ▫️ Steals data copied to the clipboard ▫️ Saves a copy of the files transferred over the network ▫️ Crawls shared drives in the background and saves them locally ▫️ Saves replays of connections so you can look at them later ▫️ Runs console commands or PowerShell payloads automatically on new connections RDP Player: ▫️ See live RDP connections coming from the MITM ▫️ View replays of RDP connections ▫️ Take control of active RDP sessions while hiding your actions ▫️ List the client's mapped drives and download files from them during active sessions Converter tool: ▫️ Convert RDP replays to videos for easier sharing ▫️ Convert RDP replays to a sequence of low-level events serialized in JSON format ▫️ Convert PCAPs to replays, videos or JSON events ▫️ Convert decrypted PCAPs (L7 PDUs) to replays, videos or JSON events ▫️ RDP Certificate Cloner: ▫️ Create a self-signed X509 certificate with the same fields as an RDP server's certificate https://github.com/GoSecure/pyrdp

Pyrdp – RDP Man-In-The-Middle And Library For Python3 | TheHackerNews.Co #ability #bettercap #blackhat #connections #fact #hacker #hacking #cybersecurity #hackers #linux #ethicalhacking #programming #security #thehackernews

Pyrdp – RDP Man-In-The-Middle And Library For Python3 | MrHacker.Co #ability #bettercap #blackhat #connections #fact #hacker #hacking #cybersecurity #hackers #linux #ethicalhacking #programming #security #mrhacker

PyRDP v0.3 releases: Python 3 Remote Desktop Protocol Man-in-the-Middle

PyRDP - RDP Monster-In-The-Middle (Mitm) And Library For Python With The Ability To Watch Connections Live Or After The Fact https://ift.tt/3k8MDNW

PyRDP - RDP Monster-In-The-Middle (Mitm) And Library For Python With The Ability To Watch Connections Live Or After The Fact http://www.kitploit.com/2021/11/pyrdp-rdp-monster-in-middle-mitm-and.html By: via HackGit

PyRDP: Python 3 Remote Desktop Protocol Man-in-the-Middle

PyRDP: Python 3 Remote Desktop Protocol Man-in-the-Middle