A sophisticated cyber espionage campaign leveraging red team tools to exploit Remote Desktop Protocol (RDP) servers has been uncovered, with the threat actor Earth Koshchei (also known as APT29 and Midnight Blizzard) targeting government agencies, military organizations, and academic researchers worldwide.
The campaign, which reached its peak on October 22, 2024, involved the distribution of malicious RDP configuration files through spear-phishing emails to high-profile targets.
The attackers established an extensive infrastructure of 193 RDP relay domains and 34 rogue RDP backend servers to facilitate their operations.
Earth Koshchei demonstrated significant preparation by registering over 200 domain names between August and October 2024. The group specifically targeted organizations with connections to government entities, including military units, think tanks, and academic institutions.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
The attack methodology, originally documented by Black Hills Information Security in 2022, involves three key components: an RDP relay, a rogue RDP server, and a malicious RDP configuration file.
When victims open the malicious configuration file, their machines attempt to connect to the attacker’s servers, potentially leading to data leakage and malware installation.
To enhance stealth and complicate attribution, the threat actors employed multiple layers of anonymization, including commercial VPN services, TOR networks, and residential proxies.
Tools such as PyRDP strengthen the attack by allowing the interception and alteration of RDP connections. PyRDP has the ability to automatically navigate through shared drives redirected by the victim and store their contents on the attacker’s device, making data exfiltration more efficient.
“This attack demonstrates how tools like PyRDP can automate and enhance malicious activities, such as systematically crawling redirected drives to exfiltrate data,” Trend Micro said.
The group accessed compromised mail servers through various residential proxy providers and VPN services to distribute their phishing emails.
Evidence suggests that Earth Koshchei conducted more targeted operations before the mass campaign, with traces of data exfiltration detected through their RDP relays between October 18 and 21, affecting two military organizations and a cloud provider.
The campaign’s sophistication is particularly noteworthy as it demonstrates how threat actors can repurpose legitimate red team tools and methodologies for malicious purposes.
Even organizations with strict security measures could be vulnerable, especially in home office environments or when non-standard ports are used to bypass firewall rules.
Security experts recommend that organizations block outbound RDP connections to untrusted servers and implement measures to prevent the transmission of RDP configuration files through email.
The campaign serves as a reminder of the evolving nature of cyber threats and the importance of maintaining robust security protocols against sophisticated state-sponsored actors.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free