216.73.216.133

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

· Published 17/12/2024 16:20 · Modified 17/12/2024 16:51

Export JSON

Essential information

Published
17/12/2024 16:20
Modified
17/12/2024 16:51
Tags
2024-12-17 apt29 data exfiltration midnight blizzard python remote desktop protocol mitm tool (pyrdp) roguerdp spear-phishing tor exit nodes
Related entities
200 observables, 1 intrusion sets (apt), 13 techniques (mitre), 9 others

Description

Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities.

External references