In October 2024, the Microsoft Threat Intelligence Team uncovered a large-scale spear-phishing campaign by APT29—also known as Midnight Blizzard or Cozy Bear—who have shaken off their slumber with a fresh tactic. In a twist, they’re using Zero Trust themes to spark curiosity and lure targets, ultimately gaining control over their systems. This campaign primarily targets government agencies, enterprises, defense organizations, and more as part of Cozy Bear's ongoing intelligence-gathering operations. Seems like winter came early this year for Cozy Bear’s latest espionage spree!
Introduction
When security teams talk about spear-phishing campaigns, they usually mean that specific people received an email with an attached file, like a ZIP or ISO, or a link to a fake website that looks real to capture their login details. Threat actors are always creative and find new ways to break into their targets. These days, it’s common to see them use new tactics and techniques, showing just how far they push the limits of what’s possible.
In this large-scale spear-phishing campaign by APT29, the threat actors took a different approach to achieve their goals. While they still used email-based 'phishing,' this time they attached RDP files. When a recipient clicks on the seemingly harmless file, it initiates a remote connection that grants attackers access to system resources such as local drives, the clipboard, video, audio devices, and more. This method allows attackers to observe and potentially interact with the victim’s activities in real time.
What are RDP files, and how do they work? An inside look at APT29’s tools, structure, and capabilities
Remote Desktop Protocol (RDP) files are typically used to initiate and manage remote desktop connections to other computers or servers. They are simple text files with an .rdp extension that contain settings and parameters defining how the remote session should operate, such as the target machine's IP address, screen resolution, and other session configurations.
Fortunately, we have obtained some RDP file samples used by APT29 in their ongoing campaign.
In the image below, we highlight key configurations within the RDP file. Let’s take a look!
The RDP file is signed with a Let's Encrypt certificate, indicated in the 'signature' field. The file’s configuration summarizes automatic settings and resource mappings that are applied upon a successful connection to an RDP server.
Case Study: Detecting and Responding to RDP File Execution with Sysmon
Imagine that an employee in your organization has been tricked into downloading and opening an RDP file. As an analyst, you are now tasked with finding evidence to support your investigation.
To begin, let’s analyze the endpoint behavior by examining event logs after the RDP file was opened.
First, since this was launched through user interaction, we expect to see explorer.exe created and running as the parent process.
Next, the mstsc.exe process should appear as a child process of explorer.exe, with its CommandLine field containing the name of the RDP file that was clicked.
Finally, mstsc.exe will initiate a connection to the RDP server, logged under Sysmon Event ID 3 (Network Connection), which includes key network-related artifacts. mstsc
These details are valuable for hunting within the organization’s SIEM that ingests Sysmon logs from their endpoints.
To better understand the diagram above, here’s the actual event log for the activity.
In the next section, let’s step into the shoes of an attacker to understand their point of view.
Case Study: How Attackers Leverage Remote Desktop Phishing to Steal Credentials
Imagine an attacker using Windows Server Remote Desktop Services (RDS) to host a fake application. This application is designed to display a fake login screen upon launch. The attacker configures a .rdp file to automatically open this fake login application in RemoteApp mode, making it look like a standard Windows security prompt.
The attacker might distribute this .rdp file through a phishing email, convincing the victim that it’s part of a required security check or an IT maintenance task.
When the victim double-clicks the file and connects to the RDS server, the fake login application (SCMS) is displayed. However, although the fake application appears to be on the victim’s computer, it is running on the attacker’s server, thanks to RemoteApp functionality within Remote Desktop Services (RDS).
The victim is presented with a login prompt that requests their username and password. Unaware of the deception, the victim enters their credentials into this fake application. These credentials are then logged on the attacker’s server and stored for later use or exfiltration.
This attack is effective because it combines familiarity with stealth. The fake app resembles a standard login screen, which doesn’t raise suspicion, and by using RemoteApp, the attacker can present the application as if it’s running locally on the victim’s machine. This setup masks the fact that the app is actually running on the attacker’s server, making the phishing attempt more convincing and difficult to detect.
Conclusion
In this blog, we covered several key topics. We began with APT29’s large-scale spear-phishing campaign targeting various entities for cyber espionage, exploring how they use RDP files to capture intelligence from targets through a concept of Zero Trust and detailing their RDP configuration. We then discussed RDP from both blue and red team perspectives, including detection and response using Sysmon logs, and examined how RDP files can be used in phishing campaigns to harvest user credentials from a red teaming standpoint.
If you found this topic interesting and you don’t have any exposure to Malware Analysis, Reverse Engineering, Digital Forensics and Incident Response, why not take a look at our gamified blue team training platform.
