Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks
Dec. 17, 2024, 4:51 p.m.
Tags
External References
Description
Earth Koshchei, an APT group suspected to be sponsored by the Russian SVR, executed a large-scale rogue RDP campaign targeting high-profile sectors. The attack methodology involved spear-phishing emails, red team tools, and sophisticated anonymization techniques. The campaign used an RDP relay, rogue RDP server, and malicious RDP configuration files to potentially leak data and install malware. The group registered over 200 domain names between August and October, setting up 193 RDP relays and 34 rogue RDP backend servers. They employed anonymization layers like VPN services, TOR, and residential proxies to mask their operations. The campaign peaked on October 22, targeting governments, armed forces, think tanks, academic researchers, and Ukrainian entities.
Date
Published: Dec. 17, 2024, 4:20 p.m.
Created: Dec. 17, 2024, 4:20 p.m.
Modified: Dec. 17, 2024, 4:51 p.m.
Indicators
zero-trust.solutions
veeam.solutions
skykick.solutions
polycom.solutions
ncsc.solutions
macfound.services
justice.technology
exclaimer.solutions
crisisgroup.services
cepa.solutions
capgemini.services
caci.solutions
barracuda.solutions
aeinc.solutions
f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8
f32fa0e3902a1f287280e2e6ddcbfe4fc0a47f1fa5ddb5e04a7651c51343621e
ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46
a246253fab152deac89b895a7c1bca76498b4aa044c907559c15109c1187a448
648afcc709ac18c4fe235d24bf51a8230e9700b97c3dcc0a739816966f2b58b6
8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5
50bed47064e4ecd01c4a9271e63af7cfdf52ea4096f205470e41eef7eb01c1e1
36e45fdeba3fdb3708fb1c2602c30cb5b66fbc5ea790f0716390d9f69c363542
2fb1d01f9859c676ef37b060c5e8db0a12472c96260114a6edee45d8546184c9
280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0
1c1941b40718bf31ce190588beef9d941e217e6f64bd871f7aee921099a9d881
eu-south-2-aws.zero-trust.solutions
95.217.113.133
93.188.164.74
95.156.207.121
93.188.163.16
92.204.164.50
89.46.234.93
89.46.234.152
89.46.234.115
89.35.131.153
84.32.188.200
84.32.188.193
84.32.188.197
84.32.188.153
82.180.139.47
84.32.188.148
81.17.31.106
80.87.206.241
66.206.13.130
62.72.7.213
5.187.49.186
5.183.95.240
5.183.95.158
5.133.9.252
46.30.189.91
46.30.189.62
46.30.188.187
46.249.38.131
45.86.162.170
46.19.141.186
45.82.66.39
45.80.193.9
45.67.85.40
45.67.84.14
45.141.58.60
45.41.187.233
45.141.58.59
45.137.213.17
45.137.21.11
45.137.21.10
45.134.111.126
45.134.111.123
45.134.110.83
45.134.110.78
45.134.110.82
45.134.110.55
45.11.231.8
45.11.230.60
45.11.231.9
45.11.230.155
45.11.230.144
45.11.230.111
45.11.230.105
38.180.91.2
38.180.90.36
38.180.83.103
38.180.83.120
38.180.88.106
38.180.230.79
38.180.81.168
38.180.5.60
38.180.199.28
38.180.146.32
38.180.146.30
38.180.146.29
38.180.146.230
38.180.146.28
38.180.146.210
38.180.146.216
38.180.146.193
38.180.137.213
38.180.146.178
38.180.136.93
38.180.110.238
37.28.157.246
37.28.153.214
37.1.196.172
23.227.194.189
23.160.56.95
23.160.56.90
23.160.56.123
23.160.56.122
23.160.56.115
23.160.56.110
23.160.56.105
212.1.213.200
23.160.56.100
212.1.213.198
209.182.225.10
2.58.203.61
2.58.201.27
2.58.201.112
2.58.200.80
2.58.200.79
2.58.200.78
2.58.14.80
198.50.106.141
198.50.106.140
195.3.220.48
194.37.97.189
193.29.59.9
193.29.56.221
193.200.17.162
192.36.57.107
192.36.27.226
192.121.23.126
190.211.254.32
188.214.33.222
185.76.79.86
185.76.79.62
185.76.79.60
185.76.79.59
185.76.79.53
185.76.79.244
185.76.79.233
185.76.79.190
185.76.79.229
185.76.79.178
185.76.79.167
185.76.79.16
185.76.79.140
185.76.79.130
185.76.79.118
185.243.115.124
185.243.114.9
185.243.112.24
185.216.72.196
185.216.72.192
185.216.72.185
185.216.72.182
185.187.155.81
185.187.155.79
185.187.155.78
185.187.155.74
185.187.155.73
185.187.155.72
185.187.155.71
185.187.155.69
185.187.155.33
185.177.126.225
185.172.39.52
185.172.39.51
185.172.39.50
185.172.39.230
185.172.39.220
185.100.234.105
179.43.180.74
179.43.163.18
179.43.148.82
178.255.43.30
178.239.171.41
178.162.203.91
176.97.70.55
175.110.114.9
175.110.112.221
172.96.137.125
172.86.73.187
172.86.70.64
166.0.187.252
166.0.187.245
166.0.187.243
166.0.187.242
166.0.187.241
166.0.187.240
166.0.187.237
166.0.187.236
166.0.187.235
166.0.187.233
166.0.187.231
166.0.187.199
166.0.187.183
162.252.175.233
162.252.172.59
162.252.172.223
162.252.172.167
162.252.172.158
162.252.172.109
162.252.172.155
162.216.243.210
158.255.213.49
158.255.213.227
158.255.213.192
158.255.213.185
158.255.213.168
155.138.238.169
158.255.213.154
151.236.22.36
151.236.22.149
151.236.16.98
151.236.16.38
151.236.16.245
151.236.16.24
151.236.16.236
151.236.16.226
151.236.16.220
151.236.16.22
151.236.16.213
151.236.16.193
151.236.16.149
151.236.16.138
151.236.16.128
151.236.16.102
151.236.16.101
151.236.15.134
151.236.14.116
149.28.9.18
149.154.158.85
149.154.158.63
149.154.158.250
149.154.158.205
149.154.158.133
146.71.81.13
142.91.38.80
141.195.117.128
141.195.117.129
141.195.117.127
141.195.117.126
141.195.117.125
135.181.130.232
109.205.214.52
109.205.214.50
109.205.214.45
104.36.229.110
104.238.60.216
104.225.129.128
104.238.57.40
103.144.139.74
104.161.58.10
103.144.139.73
103.144.139.253
103.144.139.254
zoommeeting.zone
zoommeeting.today
zoom-meetings.cloud
zoom-meeting.today
zoom-meeting.pro
zoom-meeting.live
zoom-meeting.cloud
zixcorp.cloud
wrapsnet.cloud
wilsoncenter.cloud
usip.us
usaid.cloud
us-mil.cloud
us-army.cloud
ukrtelecom.cloud
ukrainesec.cloud
ua-sec.cloud
ua-mil.cloud
ua-energy.cloud
ua-aws.army
trustifi.cloud
symbolsecurity.cloud
swcloud.us
stratfor.cloud
statecloud.us
ssi-gouv-fr.cloud
softcat.cloud
sipacolumbia.us
shicloud.online
servicenowinc.us
saiccloud.us
s3-zoho.cloud
s3-us.navy
s3-ucia.cloud
s3-ua.cloud
s3-stig.cloud
s3-state.cloud
s3-spacex.cloud
s3-rand.cloud
s3-rackspace.cloud
s3-pt.cloud
s3-proofpoint.cloud
s3-nsa.cloud
s3-ned.cloud
s3-nato.cloud
s3-monitoring.cloud
s3-marcus.cloud
s3-knowbe4.cloud
s3-iri.cloud
s3-ida.cloud
s3-hudson.cloud
s3-fbi.cloud
s3-esa.cloud
s3-dnc.cloud
s3-dk.cloud
s3-dgap.cloud
s3-de.cloud
s3-csis.cloud
s3-cloud.us
s3-blackberry.cloud
s3-be.cloud
s3-bah.cloud
s3-aws.global
s3-aws.cloud
s3-atlassian.cloud
s3-army.cloud
s3-acronis.cloud
rubrik.zone
regeringskansliet-se.cloud
quirinale.cloud
pulsesecure.cloud
prio.zone
presidencia-pt.cloud
parseccomputer.cloud
opensocietyfoundations.cloud
oktacloud.us
nrcc.cloud
ncfta.cloud
mzv-sk.cloud
mzv-cz.cloud
mvep-hr.cloud
msconferences.cloud
ms-meetings.online
ms-meeting.online
ms-meeting.com
ms-conference.cloud
morh-hr.cloud
mod-gov-il.cloud
mod-cloud.uk
mimecast.cloud
mil-pt.cloud
mil-ee.cloud
mil-be.cloud
microsoftmeeting.cloud
microsoft-meeting.cloud
mfa-gov-tr.cloud
mfa-gov-il.cloud
mde-es.cloud
mapn-ro.cloud
mae-ro.cloud
kam-lt.cloud
heritagecloud.org
gv-at.cloud
govua.cloud
govtr.cloud
gov-trust.cloud
gov-pl.cloud
gov-lv.cloud
gov-lt.cloud
gov-gr.cloud
gov-fi.cloud
gov-aws.cloud
gov-au.cloud
gouv-fr.cloud
googlemeet.zone
google-meet.cloud
go-meeting.online
go-meeting.cloud
go-meet.pro
go-meet-up.com
go-jp.cloud
go-conference.cloud
gmfus.cloud
gc-cloud.ca
freedomhouse.cloud
forces-gc.cloud
europeanvalues.cloud
europa-eu.cloud
eopgov.cloud
ecfr.cloud
difesa-it.cloud
druva.cloud
dep-no.cloud
democracyendowment.cloud
defense-gouv.cloud
defence-au.cloud
cwinc.cloud
csbaonline.cloud
cnas.zone
clearancejobs.cloud
clari.cloud
citoc.cloud
cfr-aws.cloud
ceip.cloud
bund-de.cloud
brookings.cloud
backupify.cloud
awsplatform.online
awsmeetings.online
awsmeet.cloud
aws-ukraine.cloud
aws-online.cloud
aws-meet.cloud
aws-meetings.cloud
aws-join.cloud
aws-il.cloud
aws-data.cloud
asucloud.us
aspeninstitute.cloud
americanprogress.cloud
amazonmeeting.cloud
albrightstonebridge.cloud
admin-ch.cloud
4freerussia.cloud
eu-north-1.regeringskansliet-se.cloud
Attack Patterns
Earth Koshchei
T1584.001
T1583.001
T1021.001
T1048
T1571
T1573
T1102
T1204
T1566
T1133
T1090
T1078
T1059
Additional Informations
Technology
Energy
Defense
Education
Telecommunications
Government
Australia
Netherlands
Ukraine