FlagThis

The Kimsuky hacking group is using a custom-built RDP Wrapper and proxy tools to gain access to infected machines. This allows them to bypass security measures and maintain persistent access.

The Kimsuky APT group is actively employing a custom-built RDP Wrapper and proxy tools to gain unauthorized access to infected machines, enabling persistent cyber espionage. This involves spear-phishing tactics and the distribution of malicious shortcut files disguised as legitimate documents. AhnLab’s ASEC team has released a blog post detailing additional malware used in these attacks. This highlights the group’s evolving tactics and persistent threat to organizations.

Earth Koshchei, also known as APT29 and Midnight Blizzard, is leveraging red team tools and techniques to compromise RDP servers. The attack methodology involves a combination of an RDP relay, rogue RDP servers and malicious RDP configuration files, redirecting traffic through VPNs, TOR and residential proxies, making detection and mitigation difficult. This sophisticated campaign targets governments, armed forces, think tanks, academic researchers, and Ukrainian entities, leading to potential data leakage and malware installation. The APT group uses spear-phishing emails containing malicious RDP configuration files that redirect traffic to 193 RDP relays.