Summary:
Earth Koshchei (APT29/Midnight Blizzard) conducted a large-scale rogue RDP campaign in October 2024, targeting governments, military, think tanks, academic researchers, and Ukrainian entities. The group used spear-phishing emails containing malicious RDP configuration files that redirected victims’ connections to rogue servers via 193 RDP relays. This attack methodology, inspired by a 2022 blog post describing red team techniques, leveraged tools like PyRDP to hijack RDP sessions. Once connected, the attackers could exfiltrate data without installing malware by crawling redirected drives, manipulating local resources, and executing disguised remote applications.

Between August and October, Earth Koshchei prepared for the campaign by registering over 200 domains and setting up 34 rogue backend servers, masking their operations using TOR, VPNs, and residential proxies. The campaign peaked on October 22, with widespread spear-phishing emails sent to high-profile targets. Earlier, more targeted attacks focused on data exfiltration from military and cloud organizations, demonstrating the group’s layered approach. Notably, Earth Koshchei exploited compromised email servers and non-standard ports to bypass security measures, particularly in environments with less stringent RDP controls.

Security Officer Comments:
Attribution to Earth Koshchei is made with medium confidence based on their typical TTPs, such as heavy use of anonymization layers and strategic infrastructure deployment. Believed to be SVR-sponsored, Earth Koshchei remains focused on long-term espionage efforts targeting Western and allied organizations. Their ability to adapt red team tools and techniques underscores their sophistication and resourcefulness.

Suggested Corrections:

IOCs:
https://www.trendmicro.com/content/...24/l/earth-koshchei/IOClist-EarthKoshchei.txt

Earth Koshchei makes extensive usage of anonymization layers like TOR, VPN and residential proxy services. Using these anonymization layers makes attribution much harder, but not impossible in all cases. We expect that actors like Earth Koshchei will continue with well prepared and innovative attacks against the same targets in the future. Their rogue RDP campaign was of an unusual scale where a lot of infrastructure was used, and the campaign looked well prepared when it comes to social engineering the targets.

Companies that do not block outbound RDP connections to non-trusted servers should do so as soon as possible. One could also block the sending of RDP configuration files over email.


Link(s):
https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html