Earth Koshchei executed a sophisticated RDP attack involving spear-phishing emails with malicious RDP configuration files, which files redirected victims’ systems to 193 RDP relays, masking their traffic with VPNs, TOR, and residential proxies.
The group leveraged red team techniques to compromise targets and potentially exfiltrate sensitive data, as the attack’s scale, preparation, and use of advanced evasion tactics highlight the increasing sophistication of cyber threats.
It used a malicious RDP configuration file to redirect victims’ connections to their controlled servers, which disguised as a legitimate AWS connection and exploited vulnerabilities in RDP protocols.
The attack leveraged a man-in-the-middle (MITM) proxy to intercept and redirect victim traffic, gaining unauthorized access to their systems.
Once connected, attackers executed malicious scripts, stole sensitive data, and compromised the victim’s environment, highlighting the risks of RDP attacks and the importance of robust security measures.
According to Trend Micro, attackers use malicious RDP configuration files to redirect victims to fraudulent servers disguised as legitimate applications.
PyRDP, a tool for interacting with RDP connections, automates data exfiltration by crawling redirected drives on the victim’s machine, which exploit RDP settings like “full address” to manipulate connections and “authentication level” to weaken security.
By suppressing security prompts and using stolen credentials (likely obtained through phishing), attackers gain unauthorized access and can steal sensitive data without installing malware directly on the victim’s system.
Earth Koshchei leverages multiple anonymization layers, including commercial VPNs, TOR, and residential proxies, to obscure its malicious activities, which renders traditional IP-based defenses ineffective.
By masking its traffic within legitimate user networks, the attacker can rapidly shift its operations across thousands of dynamic IP addresses.
The tactic was evident in recent campaigns like the RDP attacks, where Earth Koshchei exploited compromised email servers to distribute malicious payloads, using various residential proxy providers and commercial VPN services to conceal its identity.
It is a known threat actor, registered over 200 domain names between August and October 2024, primarily targeting government, military, and IT sectors in various countries, which were used to set up rogue RDP servers for data exfiltration, with the most active period between September 26 and October 20.
The actor’s use of residential proxies, TOR, and VPN services, along with the specific targeting and TTPs, strongly indicates their involvement in the campaign.
By targeting critical sectors with innovative techniques, they leverage red team toolkits, such as rogue RDP servers, to bypass defenses and maximize data exfiltration.
Recent large-scale spear-phishing campaigns indicate a shift in tactics, likely due to the declining effectiveness of stealthier methods. While anonymization layers hinder attribution, careful analysis can reveal their operations.
To mitigate risks, organizations should implement robust security measures, including blocking outbound RDP connections to untrusted servers and email-based RDP configuration file transfers.
