Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks


 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought rogue Remote Desktop Protocol (RDP) attacks to the forefront of cybersecurity concerns.

Leveraging a combination of RDP relays, rogue RDP servers, and custom malicious configuration files, this campaign has targeted high-profile organizations, posing a serious threat to global cybersecurity.

The Rogue RDP Methodology

The rogue RDP technique, initially described by Black Hills Information Security in 2022, involves leveraging RDP relays and malicious RDP configuration files to compromise targets.

– Advertisement –
SIEM as a Service

By presenting seemingly legitimate configuration files via spear-phishing emails, Earth Koshchei redirected victims’ machines to attacker-controlled RDP servers through 193 configured relays.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Victims are unknowingly granted partial control of their systems, enabling attackers to exfiltrate sensitive data, alter system settings, and deploy malicious tools.

Notably, this attack requires no malware installation, relying instead on exploiting native RDP features, making it a stealthy “living off the land” operation.

RDP ConnectionRDP Connection
RDP Connection

One malicious RDP configuration file redirected users to a server named eu-south-2-aws[.]zero-trust[.]solutions—a hostname mimicking an Amazon Web Services (AWS) server.

Once connected, the servers executed a misleading application called AWS Secure Storage Connection Stability Test v24091285697854, granting attackers access to local drives, clipboards, and peripheral devices.

Earth Koshchei’s rogue RDP campaign reached a peak on October 22, 2024, targeting governments, military organizations, think tanks, and academic researchers.

Setup of the RDP attack methodSetup of the RDP attack method
Setup of the RDP attack method

The attack leveraged over 193 proxy domains and 34 rogue RDP backend servers, many of which mimicked legitimate organizations to deceive victims. Targets included Ukrainian institutions and entities connected to the Australian and Dutch governments.

Preparations for the campaign began as early as August 7, 2024, with the registration of domain names resembling legitimate organizations.

 These domains were used to mask malicious activity and funnel traffic to rogue servers. The campaign culminated in a massive spear-phishing email wave, but earlier smaller campaigns provided a testbed for the methodology.

Schema of how Earth Koshchei controls their infrastructureSchema of how Earth Koshchei controls their infrastructure
Schema of how Earth Koshchei controls their infrastructure

Between October 18 and 21, Earth Koshchei reportedly used their infrastructure for data exfiltration targeting military entities and a cloud services provider.

Sophisticated Infrastructure and Anonymization

Earth Koshchei demonstrated an advanced operational setup, involving anonymization techniques like virtual private networks (VPNs), residential proxies, and TOR.

By routing operations through these services, the attackers bypassed IP-based detection mechanisms, masking their activities under layers of legitimate traffic.

The malicious emails were sent from five compromised legitimate mail servers, accessed via residential proxies and commercial VPNs. Approximately 90 unique IP addresses, including TOR exit nodes, were traced back to the email campaigns.

Each of the 193 proxy domains acted as a conduit to conceal 34 backend rogue RDP servers, which were used to intercept and manipulate RDP sessions.

Figure 3 in the analysis illustrated how attackers maintained control over their infrastructure using SSH, TOR, and peer-to-peer VPNs.

Microsoft and Amazon attributed the campaign to Midnight Blizzard (APT29), which aligns with Trend Micro’s tracking of Earth Koshchei.

The group, allegedly linked to Russia’s Foreign Intelligence Service (SVR), has a history of targeting Western governments, military organizations, and critical industries for espionage purposes.

Their flexible tactics, techniques, and procedures (TTPs), including brute force attacks, watering hole techniques, and spear-phishing, have been honed over years of cyber operations.

The scale of this RDP campaign—impacting over 200 high-profile targets in a single day—underscores the growing sophistication of cyber espionage tactics.

  1. Restrict RDP Access: Organizations must enforce strict controls on RDP usage, including restricting access to trusted IP ranges and disabling unused RDP services.
  2. Monitor Configuration Files: Any inbound RDP configuration files should be rigorously analyzed for malicious parameters.
  3. Enhance Email Security: Advanced spear-phishing attempts highlight the critical need for robust email filtering, user training, and threat intelligence integration.
  4. Adopt Network Segmentation: Segmentation can mitigate risk by limiting attacker lateral movement in case of compromise.
  5. Deploy Threat Intelligence: Insights into adversary techniques like anonymization layers can help to proactively block malicious activity.

The Earth Koshchei campaign exemplifies the dire consequences of lapses in cybersecurity, urging organizations to stay vigilant against rapidly evolving APT methods.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free



Source link