CTI Roundup: Earth Koshchei, RiseLoader, and a New Ransomware Advisory

This week, CTI examines a large rogue remote desktop protocol (RDP) campaign linked to Russian threat actor Earth Koshchei. Next up, CTI looks at a new report from Zscaler containing technical details about RiseLoader malware. Finally, CTI offers key insights from a new ransomware advisory issued by Corvus Insurance.

1. Russia’s Earth Koshchei launches rogue RDP attacks

A Russian threat actor tracked as Earth Koshchei (aka Midnight Blizzard and APT29) recently conducted a large-sale rogue RDP campaign using spear-phishing emails and anonymization techniques.

The phishing emails were designed to trick recipients into using an attached rogue RDP configuration file to give the threat actor partial control of the device.

Who is Earth Koshchei?

The Earth Koshchei group is allegedly sponsored by the Russian Foreign Intelligence Service (SVR) and tends to engage in espionage campaigns.

In October 2024 Trend Micro observed this actor leveraging a rogue RDP attack against several different targets. This type of attack enables an actor to gain partial control of the victim’s machine.

Both Microsoft and Amazon have previously attributed this activity to this same actor. Trend Micro is now sharing details to help expand on the indicators that have already been shared publicly.

About the rogue RDP campaign

A rogue RDP attack involves a few components including an RDP relay, a rogue RDP server, and a malicious RDP configuration file.

Trend Micro observed the actor sending malicious spear-phishing emails to governments, armed forces, think tanks, and other agencies. If a victim opened the file, the machine would attempt to connect to an RDP server via one of 193 RDP relays the actor previously set up.

Trend Micro notes that many organizations likely have outgoing RDP connections blocked. However, there are still instances in which this could have been successful.

The rogue RDP configuration file

Trend Micro took a closer look at an RDP configuration file that was attached to an email in this campaign and discovered the following details.

• The hostname specified in the file suggests a legitimate AWS server but is controlled by the threat actor.
• The file will redirect local drives, printers, clipboards, etc. and enable remote access into the victim’s machine.
• The attack doesn’t begin until the victim attempts to use the RDP file that was sent to them, which triggers the outbound connection to the threat actor’s system. In this case, the actor used PyRDP to act as a proxy and intercept the connection.
• They can then connect the victim to a rogue server that they control. Once connected, this rogue server acts as an RDP session and exploits the session for further malicious activity.

Anonymization layers

According to Trend Micro, a key characteristic of this actor is the “abundant usage of anonymization layers like commercial VPN services, TOR and residential proxy service providers.” Threat actors often do this to blend malicious traffic with normal expected traffic.

Trend Micro claims that the actor was using TOR exit nodes for several weeks to control more than 200 VPS server IP addresses and 34 rogue RDP servers.

Domain registration

The actor is estimated to have set up more than 200 domains between August and October 2024. Of these domains, 193 were confirmed to be set up for use in the RDP campaign. The domains spanned multiple industries, including government, think tanks/ NGOs, military, IT, and more.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This actor uses many popular anonymization layers in its attacks to act more stealthily. Their use of rogue RDP servers is believed to be inspired from a 2022 blog post written by an information security company.

As Trend Micro notes, this is a great example of how threat actors will leverage existing tools and techniques to make their attacks more sophisticated while lessening the work effort.  

2. Zscaler releases technical details about RiseLoader malware

New technical details about RiseLoader malware are available on Zscaler’s blog.

The sample is similar to RisePro malware but was found to have additional capabilities when it comes to downloading and executing second-stage payloads.

RiseLoader was first observed in October 2024, has been seen delivering different types of malware including Vidar, Lumma Stealer, and others.

Anti-analysis techniques

The RiseLoader malware samples discovered by Zscaler were packed with VMProtect. This, coupled with the fact that the malware obfuscates many of the important strings in its code, makes it more difficult to analyze.

Zscaler identified several strings, defined in a global array but not used in execution, that are related to analysis and debugging. Because these are not yet used in execution, they believe that this anti analysis feature may still be in development.

Behavioral analysis

The malware begins by creating a mutual exclusion, or mutex, and names it using hardcoded strings. If the mutex already exists on the system, the malware will not continue. If not, if will randomly select a C2 server from a hardcoded list and open a connection to the server.

Network communication

After the malware connects with the C2 server, it will wait for the server to respond with keys that are needed for future communications. It will then send a campaign ID and other information to the server and wait for a payload command, periodically sending keepalive messages to make sure the communication stays open.

RiseLoader vs RisePro

As noted, Zscaler determined that RiseLoader had similarities with the RisePro malware. The two biggest similarities are in the custom binary TCP-based protocol and the message structure itself. Zscaler also determined that the initialization process of both malware are similar, with RiseLoader’s being slightly simpler.

Analyst comments from Tanium’s Cyber Threat Intelligence team

One interesting thing about this malware is that it relies on hardcoding necessary information. It hardcodes the list of C2 servers and a handful of strings from which it names the mutex, making it easier to create detections.

Zscaler believes that some anti-analysis features may still be under development, so there is the potential that the malware will change the hardcoded features to something more dynamic.

3. Ransomware activity reaches an all-time high

According to a new report from Corvus Insurance, ransomware activity reached an all-time high in November 2024, with 632 reported ransomware victims listed on data leak sites. This is more than double the historical monthly average (307 victims) and makes November 2024 the most active month for ransomware attacks so far.

Noteworthy ransomware groups

According to Corvus, multiple groups are responsible for the recent spike in ransomware attacks. However, there are a few specific groups that appeared to surge during November.

• RansomHub: The group with the most victims listed on a data leak site this past month was RansomHub, with 98 victims listed. This group has expanded its operations across several sectors, demonstrating rapid scalability.
• Akira: The next highest contributor, Akira, claimed 73 victims on data leak sites. As Corvus points out, this group is known for technical adaptability which enables the group to remain successful. Akira’s 73 monthly victims is more than three times the monthly average for the group.

Corvus also calls out Kill Security, SAFEPAY, and Qilin as contributors to November’s record-breaking number of attacks. These five groups collectively totaled almost 50% of all attacks for the month.

How the ransomware attacks start

Corvus took a closer look at the ransomware attacks to try and identify patterns. They discovered that 13% of victims that were posted on data leak sites used VPN products that were determined to be at a higher risk of being breached. This high-risk determination is based on Corvus’ historical insurance claims data.

Corvus took this one step further by breaking this out by ransomware group. They found that 40% of victims listed on the RA Group ransomware leak site used high-risk VPNs. There were 9 ransomware groups in which 25% or more of listed victims were using higher risk VPNs.

What’s more, roughly 6% of November 2024 victims were running outdated Microsoft Exchange Servers. Some victims were running 2021 and 2022 versions that are not patched for the ProxyShell vulnerabilities.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The two ransomware groups which claimed the highest number of victims in November both emerged earlier this year, demonstrating just how quickly a new group can expand and evolve.

It’s important to consider that this data is based on information from data leak sites, and may not be an accurate representation of attacks for the month. However, it highlights some of the key entry points. The Corvus report indicates that VPNs are potentially still a prime target for threat actors, making it critical for organizations to secure them.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.