Pierluigi Paganini
December 18, 2024
In October 2024, the Russia-linked cyber espionage group APT29 (aka Earth Koshchei, SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) used rogue RDP attacks via phishing emails targeting governments, think tanks, and Ukrainian entities to steal data and install malware.
The group was spotted using tools typically used by red teams for espionage and data exfiltration.
The threat actors used spear-phishing emails to trick recipients into using a rogue RDP configuration file, causing their machines to connect to one of the 193 RDP relays operated by the APT.
The campaign employing the attack technique was previously reported by Black Hills Information Security in 2022.
“The attack technique is called “rogue RDP”, which involves an RDP relay, a rogue RDP server, and a malicious RDP configuration file. A victim of this technique would give partial control of their machine to the attacker, potentially leading to data leakage and malware installation.” reads the report published by Trend Micro. “Earth Koshchei’s rogue RDP campaign reached its peak on October 22, when spear-phishing emails were sent to governments and armed forces, think tanks, academic researchers and Ukrainian targets.”
Some targets lacked RDP connection restrictions, enabling rogue RDP attacks. Attackers used non-standard RDP relay ports to bypass firewalls, with targeted campaigns peaking in a major spear-phishing wave on October 22.
Trend Micro suggests the campaign prep began on August 7-8, with domains registered targeting entities linked to Australian and Ukrainian governments.
The last domain, registered on October 20, was apparently meant to target an organization with a link to the Netherlands’ Ministry of Foreign Affairs. In between, almost 200 domain names were registered, many of which suggest the target the adversaries had in mind.
An analyzed RDP file sent to a European academic researcher connected to a rogue server controlled by Earth Koshchei, enabling data exfiltration via redirected resources. Attackers used a configuration file that redirects all local drives, printers, COM ports, smart cards, and clipboards, allowing remote access to the victim’s local machine. Upon establishing a successful connection, it executes a remote application called AWS Secure Storage Connection Stability Test v24091285697854.
The attack technique employed in the campaign was described in 2022 by Mike Felch, it involves the use of a MITM proxy and the PyRDP tool to minimize suspicion and reduce user interaction during a rogue RDP attack.
The RDP attack uses a spear-phishing .RDP file, where PyRDP acts as a MITM proxy, redirecting the connection to a rogue server. This gives attackers control to deploy malicious scripts, access files, and exfiltrate data.
“The PyRDP proxy ensures that any data stolen or commands executed are funneled back to the attacker without alerting the victim. Tools like RogueRDP further enhance the attacker’s capabilities by automating the creation of convincing RDP files, enticing users to initiate compromised sessions.” continues the report. “This method not only demonstrates the danger of MITM attacks in RDP environments but also emphasizes the critical need for security measures within organizations. “
The group heavily used anonymization layers like commercial VPN services, TOR and residential proxy service providers. APT29 used TOR exit nodes, 200+ VPS IPs, and 34 rogue RDP servers in the campaign, sending spear-phishing emails via compromised mail servers using proxies and VPNs.
“We think that before the massive spear-phishing campaign on October 22, Earth Koshchei had more stealthy campaigns. This is evidenced by traces of data exfiltration through some of their RDP relays. The campaigns probably became less effective over time, so Earth Koshchei did one last scattergun campaign where most of the attacker infrastructure got burned.” concludes the report. “This makes them a dangerous adversary that will use different methodologies to reach their goals.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia)
