Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

Dec. 17, 2024, 4:51 p.m.

Description

Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities.

External References

https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/l/earth-koshchei/IOClist-EarthKoshchei.txt
https://www.trendmicro.com/en_no/research/24/l/earth-koshchei.html
https://otx.alienvault.com/pulse/6761a4b9130d14f22c9acb92
Tags
data exfiltration
spear-phishing
apt29
midnight blizzard
2024-12-17
python remote desktop protocol mitm tool (pyrdp)
roguerdp
tor exit nodes

Date

  • Created: Dec. 17, 2024, 4:20 p.m.
  • Published: Dec. 17, 2024, 4:20 p.m.
  • Modified: Dec. 17, 2024, 4:51 p.m.

Indicators

  • zero-trust.solutions
  • veeam.solutions
  • skykick.solutions
  • polycom.solutions
  • ncsc.solutions
  • macfound.services
  • justice.technology
  • exclaimer.solutions
  • crisisgroup.services
  • cepa.solutions
  • capgemini.services
  • caci.solutions
  • barracuda.solutions
  • aeinc.solutions
  • f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8
  • f32fa0e3902a1f287280e2e6ddcbfe4fc0a47f1fa5ddb5e04a7651c51343621e
  • ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46
  • a246253fab152deac89b895a7c1bca76498b4aa044c907559c15109c1187a448
  • 648afcc709ac18c4fe235d24bf51a8230e9700b97c3dcc0a739816966f2b58b6
  • 8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5
  • 50bed47064e4ecd01c4a9271e63af7cfdf52ea4096f205470e41eef7eb01c1e1
  • 36e45fdeba3fdb3708fb1c2602c30cb5b66fbc5ea790f0716390d9f69c363542
  • 2fb1d01f9859c676ef37b060c5e8db0a12472c96260114a6edee45d8546184c9
  • 280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0
  • 1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881
  • eu-south-2-aws.zero-trust.solutions
  • 95.217.113.133
  • 93.188.164.74
  • 95.156.207.121
  • 93.188.163.16
  • 92.204.164.50
  • 89.46.234.93
  • 89.46.234.152
  • 89.46.234.115
  • 89.35.131.153
  • 84.32.188.200
  • 84.32.188.193
  • 84.32.188.197
  • 84.32.188.153
  • 82.180.139.47
  • 84.32.188.148
  • 81.17.31.106
  • 80.87.206.241
  • 66.206.13.130
  • 62.72.7.213
  • 5.187.49.186
  • 5.183.95.240
  • 5.183.95.158
  • 5.133.9.252
  • 46.30.189.91
  • 46.30.189.62
  • 46.30.188.187
  • 46.249.38.131
  • 45.86.162.170
  • 46.19.141.186
  • 45.82.66.39
  • 45.80.193.9
  • 45.67.85.40
  • 45.67.84.14
  • 45.141.58.60
  • 45.41.187.233
  • 45.141.58.59
  • 45.137.213.17
  • 45.137.21.11
  • 45.137.21.10
  • 45.134.111.126
  • 45.134.111.123
  • 45.134.110.83
  • 45.134.110.78
  • 45.134.110.82
  • 45.134.110.55
  • 45.11.231.8
  • 45.11.230.60
  • 45.11.231.9
  • 45.11.230.155
  • 45.11.230.144
  • 45.11.230.111
  • 45.11.230.105
  • 38.180.91.2
  • 38.180.90.36
  • 38.180.83.103
  • 38.180.83.120
  • 38.180.88.106
  • 38.180.230.79
  • 38.180.81.168
  • 38.180.5.60
  • 38.180.199.28
  • 38.180.146.32
  • 38.180.146.30
  • 38.180.146.29
  • 38.180.146.230
  • 38.180.146.28
  • 38.180.146.210
  • 38.180.146.216
  • 38.180.146.193
  • 38.180.137.213
  • 38.180.146.178
  • 38.180.136.93
  • 38.180.110.238
  • 37.28.157.246
  • 37.28.153.214
  • 37.1.196.172
  • 23.227.194.189
  • 23.160.56.95
  • 23.160.56.90
  • 23.160.56.123
  • 23.160.56.122
  • 23.160.56.115
  • 23.160.56.110
  • 23.160.56.105
  • 212.1.213.200
  • 23.160.56.100
  • 212.1.213.198
  • 209.182.225.10
  • 2.58.203.61
  • 2.58.201.27
  • 2.58.201.112
  • 2.58.200.80
  • 2.58.200.79
  • 2.58.200.78
  • 2.58.14.80
  • 198.50.106.141
  • 198.50.106.140
  • 195.3.220.48
  • 194.37.97.189
  • 193.29.59.9
  • 193.29.56.221
  • 193.200.17.162
  • 192.36.57.107
  • 192.36.27.226
  • 192.121.23.126
  • 190.211.254.32
  • 188.214.33.222
  • 185.76.79.86
  • 185.76.79.62
  • 185.76.79.60
  • 185.76.79.59
  • 185.76.79.53
  • 185.76.79.244
  • 185.76.79.233
  • 185.76.79.190
  • 185.76.79.229
  • 185.76.79.178
  • 185.76.79.167
  • 185.76.79.16
  • 185.76.79.140
  • 185.76.79.130
  • 185.76.79.118
  • 185.243.115.124
  • 185.243.114.9
  • 185.243.112.24
  • 185.216.72.196
  • 185.216.72.192
  • 185.216.72.185
  • 185.216.72.182
  • 185.187.155.81
  • 185.187.155.79
  • 185.187.155.78
  • 185.187.155.74
  • 185.187.155.73
  • 185.187.155.72
  • 185.187.155.71
  • 185.187.155.69
  • 185.187.155.33
  • 185.177.126.225
  • 185.172.39.52
  • 185.172.39.51
  • 185.172.39.50
  • 185.172.39.230
  • 185.172.39.220
  • 185.100.234.105
  • 179.43.180.74
  • 179.43.163.18
  • 179.43.148.82
  • 178.255.43.30
  • 178.239.171.41
  • 178.162.203.91
  • 176.97.70.55
  • 175.110.114.9
  • 175.110.112.221
  • 172.96.137.125
  • 172.86.73.187
  • 172.86.70.64
  • 166.0.187.252
  • 166.0.187.245
  • 166.0.187.243
  • 166.0.187.242
  • 166.0.187.241
  • 166.0.187.240
  • 166.0.187.237
  • 166.0.187.236
  • 166.0.187.235
  • 166.0.187.233
  • 166.0.187.231
  • 166.0.187.199
  • 166.0.187.183
  • 162.252.175.233
  • 162.252.172.59
  • 162.252.172.223
  • 162.252.172.167
  • 162.252.172.158
  • 162.252.172.109
  • 162.252.172.155
  • 162.216.243.210
  • 158.255.213.49
  • 158.255.213.227
  • 158.255.213.192
  • 158.255.213.185
  • 158.255.213.168
  • 155.138.238.169
  • 158.255.213.154
  • 151.236.22.36
  • 151.236.22.149
  • 151.236.16.98
  • 151.236.16.38
  • 151.236.16.245
  • 151.236.16.24
  • 151.236.16.236
  • 151.236.16.226
  • 151.236.16.220
  • 151.236.16.22
  • 151.236.16.213
  • 151.236.16.193
  • 151.236.16.149
  • 151.236.16.138
  • 151.236.16.128
  • 151.236.16.102
  • 151.236.16.101
  • 151.236.15.134
  • 151.236.14.116
  • 149.28.9.18
  • 149.154.158.85
  • 149.154.158.63
  • 149.154.158.250
  • 149.154.158.205
  • 149.154.158.133
  • 146.71.81.13
  • 142.91.38.80
  • 141.195.117.128
  • 141.195.117.129
  • 141.195.117.127
  • 141.195.117.126
  • 141.195.117.125
  • 135.181.130.232
  • 109.205.214.52
  • 109.205.214.50
  • 109.205.214.45
  • 104.36.229.110
  • 104.238.60.216
  • 104.225.129.128
  • 104.238.57.40
  • 103.144.139.74
  • 104.161.58.10
  • 103.144.139.73
  • 103.144.139.253
  • 103.144.139.254
  • zoommeeting.zone
  • zoommeeting.today
  • zoom-meetings.cloud
  • zoom-meeting.today
  • zoom-meeting.pro
  • zoom-meeting.live
  • zoom-meeting.cloud
  • zixcorp.cloud
  • wrapsnet.cloud
  • wilsoncenter.cloud
  • usip.us
  • usaid.cloud
  • us-mil.cloud
  • us-army.cloud
  • ukrtelecom.cloud
  • ukrainesec.cloud
  • ua-sec.cloud
  • ua-mil.cloud
  • ua-energy.cloud
  • ua-aws.army
  • trustifi.cloud
  • symbolsecurity.cloud
  • swcloud.us
  • stratfor.cloud
  • statecloud.us
  • ssi-gouv-fr.cloud
  • softcat.cloud
  • sipacolumbia.us
  • shicloud.online
  • servicenowinc.us
  • saiccloud.us
  • s3-zoho.cloud
  • s3-us.navy
  • s3-ucia.cloud
  • s3-ua.cloud
  • s3-stig.cloud
  • s3-state.cloud
  • s3-spacex.cloud
  • s3-rand.cloud
  • s3-rackspace.cloud
  • s3-pt.cloud
  • s3-proofpoint.cloud
  • s3-nsa.cloud
  • s3-ned.cloud
  • s3-nato.cloud
  • s3-monitoring.cloud
  • s3-marcus.cloud
  • s3-knowbe4.cloud
  • s3-iri.cloud
  • s3-ida.cloud
  • s3-hudson.cloud
  • s3-fbi.cloud
  • s3-esa.cloud
  • s3-dnc.cloud
  • s3-dk.cloud
  • s3-dgap.cloud
  • s3-de.cloud
  • s3-csis.cloud
  • s3-cloud.us
  • s3-blackberry.cloud
  • s3-be.cloud
  • s3-bah.cloud
  • s3-aws.global
  • s3-aws.cloud
  • s3-atlassian.cloud
  • s3-army.cloud
  • s3-acronis.cloud
  • rubrik.zone
  • regeringskansliet-se.cloud
  • quirinale.cloud
  • pulsesecure.cloud
  • prio.zone
  • presidencia-pt.cloud
  • parseccomputer.cloud
  • opensocietyfoundations.cloud
  • oktacloud.us
  • nrcc.cloud
  • ncfta.cloud
  • mzv-sk.cloud
  • mzv-cz.cloud
  • mvep-hr.cloud
  • msconferences.cloud
  • ms-meetings.online
  • ms-meeting.online
  • ms-meeting.com
  • ms-conference.cloud
  • morh-hr.cloud
  • mod-gov-il.cloud
  • mod-cloud.uk
  • mimecast.cloud
  • mil-pt.cloud
  • mil-ee.cloud
  • mil-be.cloud
  • microsoftmeeting.cloud
  • microsoft-meeting.cloud
  • mfa-gov-tr.cloud
  • mfa-gov-il.cloud
  • mde-es.cloud
  • mapn-ro.cloud
  • mae-ro.cloud
  • kam-lt.cloud
  • heritagecloud.org
  • gv-at.cloud
  • govua.cloud
  • govtr.cloud
  • gov-trust.cloud
  • gov-pl.cloud
  • gov-lv.cloud
  • gov-lt.cloud
  • gov-gr.cloud
  • gov-fi.cloud
  • gov-aws.cloud
  • gov-au.cloud
  • gouv-fr.cloud
  • googlemeet.zone
  • google-meet.cloud
  • go-meeting.online
  • go-meeting.cloud
  • go-meet.pro
  • go-meet-up.com
  • go-jp.cloud
  • go-conference.cloud
  • gmfus.cloud
  • gc-cloud.ca
  • freedomhouse.cloud
  • forces-gc.cloud
  • europeanvalues.cloud
  • europa-eu.cloud
  • eopgov.cloud
  • ecfr.cloud
  • difesa-it.cloud
  • druva.cloud
  • dep-no.cloud
  • democracyendowment.cloud
  • defense-gouv.cloud
  • defence-au.cloud
  • cwinc.cloud
  • csbaonline.cloud
  • cnas.zone
  • clearancejobs.cloud
  • clari.cloud
  • citoc.cloud
  • cfr-aws.cloud
  • ceip.cloud
  • bund-de.cloud
  • brookings.cloud
  • backupify.cloud
  • awsplatform.online
  • awsmeetings.online
  • awsmeet.cloud
  • aws-ukraine.cloud
  • aws-online.cloud
  • aws-meet.cloud
  • aws-meetings.cloud
  • aws-join.cloud
  • aws-il.cloud
  • aws-data.cloud
  • asucloud.us
  • aspeninstitute.cloud
  • americanprogress.cloud
  • amazonmeeting.cloud
  • albrightstonebridge.cloud
  • admin-ch.cloud
  • 4freerussia.cloud
  • eu-north-1.regeringskansliet-se.cloud
Download all indicators here!

Attack Patterns

  • Earth Koshchei
  • T1584.001
  • T1583.001
  • T1021.001
  • T1048
  • T1571
  • T1573
  • T1102
  • T1204
  • T1566
  • T1133
  • T1090
  • T1078
  • T1059

Additional Informations

  • Technology
  • Energy
  • Defense
  • Education
  • Telecommunications
  • Government
  • Australia
  • Netherlands
  • Ukraine