There are many actions a threat actor can take with RDP access (credential harvesting, account takeover, cryptocurrency mining among them) and it's easier for them to launch these threats if they have access to an RDP port. Skilled attackers often find the ports themselves by scanning infrastructure exposed to the Internet and using brute force to access open ports. Automated tools and the Shodan search engine help them find systems configured for RDP access online.
Still, many threat actors of all skill levels buy RDP access on the Dark Web, where the ports are hot commodities, as are tools to delete attackers' activity once their work is done.