The Centre for Cybersecurity Belgium (CCB) received multiple notifications of a spear phishing campaign targeting national CSIRTs and governmental organisations in Europe. The attacker poses as the national CSIRTs and uses phishing mails to serve an RDP file as an attachment. The goal is to acquire access to the victim’s local drives. This allows the attacker to manipulate local folders and files of that victim. When the local drives are exposed using the RDP malware, exfiltration is highly likely and there is an increased risk of serving additional malicious code and achieving persistence.
Modus operandi
Based on multiple notifications:
- The attackers impersonate the national CSIRTs of the targeted organisation, e.g. the CCB for a Belgian organisation.
- The attacker lures the victim with the pretext of a “Cloud Collaboration” effort.
- The phishing email serves a malicious RDP file.
- If the victim opens the RDP file, the local drives will be exposed to the attacker’s infrastructure.