Earth Koshchei’s Rogue RDP Campaign: A Sophisticated APT Attack Targets Governments and Enterprises

by do son · December 19, 2024

Trend Micro has unveiled a large-scale rogue remote desktop protocol (RDP) campaign conducted by the threat group Earth Koshchei. Known for their espionage operations, Earth Koshchei leveraged spear-phishing emails and malicious RDP configuration files to compromise high-profile targets, including governments, military organizations, and think tanks.

Described as a methodology involving an “RDP relay, a rogue RDP server, and a malicious RDP configuration file,” the attack exploited red team techniques for malicious purposes. According to the report, this method enabled attackers to gain partial control of a victim’s machine, leading to “data leakage and malware installation.”

The campaign reached its peak on October 22, 2024, when hundreds of spear-phishing emails were sent to various targets, including diplomatic and military entities. The emails tricked recipients into opening a malicious RDP configuration file, which connected their machines to one of Earth Koshchei’s 193 RDP relays.

The campaign showcased meticulous planning, with Earth Koshchei registering over 200 domain names between August and October 2024. These domains often mimicked legitimate services or organizations, such as cloud providers and government entities. Additionally, the group used anonymization layers like TOR, VPNs, and residential proxies to conceal their operations and complicate attribution.

The infrastructure comprised 193 proxy servers and 34 rogue RDP backend servers, which acted as entry points for data exfiltration and espionage activities.

Earth Koshchei demonstrated a keen ability to repurpose legitimate red team tools. By employing techniques described in a 2022 Black Hills Information Security blog, the attackers used tools like PyRDP to intercept and manipulate RDP connections. This enabled them to browse victims’ file systems, exfiltrate data, and even run malicious applications under the guise of legitimate programs like “AWS Secure Storage Connection Stability Test.”

“The PyRDP proxy ensures that any data stolen or commands executed are funneled back to the attacker without alerting the victim,” Trend Micro explained.

The group targeted a diverse range of victims, including governments, military forces, cloud providers, and academic researchers. Attribution of the campaign to Earth Koshchei (also known as APT29 or Midnight Blizzard) is supported by the group’s typical tactics, techniques, and procedures (TTPs), as well as victimology.

“Earth Koshchei is characterized by its persistent targeting of diplomatic, military, energy, telecom, and IT companies,” the report notes. The group is believed to be associated with Russia’s Foreign Intelligence Service (SVR).

To defend against such attacks, organizations should:

Block Outbound RDP Connections: Restrict RDP traffic to trusted servers only.
Detect Malicious RDP Files: Use tools capable of identifying rogue RDP configuration files, such as Trend Micro’s detection system for Trojan.Win32.HUSTLECON.A.
Enhance Email Security: Implement filters to prevent the delivery of suspicious attachments, especially RDP configuration files.