The Russian-backed threat actor APT29, also known as Earth Koshchei, has been identified using a legitimate red team attack technique to orchestrate cyberattacks via malicious Remote Desktop Protocol (RDP) configuration files, according to a recent report by Trend Micro.
Targeting High-Value Entities
The campaign focuses on high-profile targets such as government agencies, armed forces, think tanks, academic researchers, and Ukrainian organizations. The attackers have repurposed the "rogue RDP" method, initially detailed by Black Hills Information Security in 2022, to execute their operations.
Researchers Feike Hacquebord and Stephen Hilt explained, "This technique gives attackers partial control of a victim’s system, opening the door to data theft and malware installation."
Sophisticated Preparation and Execution
Trend Micro revealed that preparations for the campaign began between August 7 and 8, 2024, with the attack gaining attention in October from CERT-UA, Microsoft, and AWS. The attack chain starts with spear-phishing emails containing malicious RDP configuration files. Once the victim opens the file, their device connects to one of the group’s 193 RDP relays, ultimately directing them to a malicious RDP server.
This large-scale operation targeted approximately 200 high-profile victims in a single day, underlining the sophistication and scale of the campaign.
Leveraging PyRDP for Stealth Attacks
The attackers utilized an open-source tool called PyRDP, a Python-based "Monster-in-the-Middle (MitM)" tool that sits between the victim and the adversary-controlled RDP server. This approach significantly reduces the risk of detection.
When victims open the RDP configuration file, codenamed HUSTLECON, the PyRDP relay redirects the session to the malicious server. This rogue server mimics the behavior of a legitimate RDP server, enabling attackers to:
- Deploy malicious scripts,
- Alter system settings, and
- Exfiltrate sensitive data, including credentials and proprietary information.
The absence of custom malware in this process allows the attackers to operate covertly, flying under the radar of traditional detection systems.
Multi-Layered Anonymization
A key feature of this attack is the use of anonymization layers such as TOR exit nodes, residential proxies, and commercial VPN services. These tools enable the attackers to control RDP servers and access legitimate mail servers used to send the spear-phishing emails.
The researchers noted, "Tools like PyRDP enhance the attack by enabling the interception and manipulation of RDP connections. PyRDP can automatically crawl shared drives redirected by the victim and download their contents for seamless exfiltration."
Aptly Adapting Red Team Tactics
Earth Koshchei’s strategy demonstrates their ability to adapt and evolve. By leveraging red team tools and methodologies, the group efficiently exploits both new and old vulnerabilities to gain initial access and execute their espionage campaigns.
Their innovative use of malicious configuration files and PyRDP highlights the growing threat posed by advanced persistent threats (APTs) to governments, organizations, and critical infrastructure worldwide.