Wednesday, December 18, 2024
HomeCyber Security NewsEarth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

Published on

SIEM as a Service

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought rogue Remote Desktop Protocol (RDP) attacks to the forefront of cybersecurity concerns.

Leveraging a combination of RDP relays, rogue RDP servers, and custom malicious configuration files, this campaign has targeted high-profile organizations, posing a serious threat to global cybersecurity.

The Rogue RDP Methodology

The rogue RDP technique, initially described by Black Hills Information Security in 2022, involves leveraging RDP relays and malicious RDP configuration files to compromise targets.

- Advertisement - SIEM as a Service

By presenting seemingly legitimate configuration files via spear-phishing emails, Earth Koshchei redirected victims’ machines to attacker-controlled RDP servers through 193 configured relays.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

Victims are unknowingly granted partial control of their systems, enabling attackers to exfiltrate sensitive data, alter system settings, and deploy malicious tools.

Notably, this attack requires no malware installation, relying instead on exploiting native RDP features, making it a stealthy “living off the land” operation.

RDP Connection
RDP Connection

One malicious RDP configuration file redirected users to a server named eu-south-2-aws[.]zero-trust[.]solutions—a hostname mimicking an Amazon Web Services (AWS) server.

Once connected, the servers executed a misleading application called AWS Secure Storage Connection Stability Test v24091285697854, granting attackers access to local drives, clipboards, and peripheral devices.

Earth Koshchei’s rogue RDP campaign reached a peak on October 22, 2024, targeting governments, military organizations, think tanks, and academic researchers.

Setup of the RDP attack method
Setup of the RDP attack method

The attack leveraged over 193 proxy domains and 34 rogue RDP backend servers, many of which mimicked legitimate organizations to deceive victims. Targets included Ukrainian institutions and entities connected to the Australian and Dutch governments.

Preparations for the campaign began as early as August 7, 2024, with the registration of domain names resembling legitimate organizations.

 These domains were used to mask malicious activity and funnel traffic to rogue servers. The campaign culminated in a massive spear-phishing email wave, but earlier smaller campaigns provided a testbed for the methodology.

Schema of how Earth Koshchei controls their infrastructure
Schema of how Earth Koshchei controls their infrastructure

Between October 18 and 21, Earth Koshchei reportedly used their infrastructure for data exfiltration targeting military entities and a cloud services provider.

Sophisticated Infrastructure and Anonymization

Earth Koshchei demonstrated an advanced operational setup, involving anonymization techniques like virtual private networks (VPNs), residential proxies, and TOR.

By routing operations through these services, the attackers bypassed IP-based detection mechanisms, masking their activities under layers of legitimate traffic.

The malicious emails were sent from five compromised legitimate mail servers, accessed via residential proxies and commercial VPNs. Approximately 90 unique IP addresses, including TOR exit nodes, were traced back to the email campaigns.

Each of the 193 proxy domains acted as a conduit to conceal 34 backend rogue RDP servers, which were used to intercept and manipulate RDP sessions.

Figure 3 in the analysis illustrated how attackers maintained control over their infrastructure using SSH, TOR, and peer-to-peer VPNs.

Microsoft and Amazon attributed the campaign to Midnight Blizzard (APT29), which aligns with Trend Micro’s tracking of Earth Koshchei.

The group, allegedly linked to Russia’s Foreign Intelligence Service (SVR), has a history of targeting Western governments, military organizations, and critical industries for espionage purposes.

Their flexible tactics, techniques, and procedures (TTPs), including brute force attacks, watering hole techniques, and spear-phishing, have been honed over years of cyber operations.

The scale of this RDP campaign—impacting over 200 high-profile targets in a single day—underscores the growing sophistication of cyber espionage tactics.

  1. Restrict RDP Access: Organizations must enforce strict controls on RDP usage, including restricting access to trusted IP ranges and disabling unused RDP services.
  2. Monitor Configuration Files: Any inbound RDP configuration files should be rigorously analyzed for malicious parameters.
  3. Enhance Email Security: Advanced spear-phishing attempts highlight the critical need for robust email filtering, user training, and threat intelligence integration.
  4. Adopt Network Segmentation: Segmentation can mitigate risk by limiting attacker lateral movement in case of compromise.
  5. Deploy Threat Intelligence: Insights into adversary techniques like anonymization layers can help to proactively block malicious activity.

The Earth Koshchei campaign exemplifies the dire consequences of lapses in cybersecurity, urging organizations to stay vigilant against rapidly evolving APT methods.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...