APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors.
Summary
> - Earth Koshchei’s rogue remote desktop protocol (RDP) campaign used an attack methodology involving an RDP relay, rogue RDP server, and a malicious RDP configuration file, leading to potential data leakage and malware installation. > - Earth Koshchei is known for constantly innovating and using a variety of methods. In this campaign, they leveraged red team tools for espionage and data exfiltration. > - The spear-phishing emails used in Earth Koshchei’s campaign were designed to deceive recipients into using a rogue RDP configuration file, causing their machines to connect to one of the group’s 193 RDP relays. > - Earth Koshchei’s campaign showed significant preparation, registering more than 200 domain names between August and October of this year. > - The group used anonymization layers like commercial VPN services, TOR, and residential proxies to mask their operations, enhance their stealthiness, and complicate attribution efforts.