Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in various sectors.

The attacks involve sending signed RDP configuration files to thousands of targets, aiming to compromise systems for intelligence gathering. 

The actor impersonates Microsoft employees and references other cloud providers to increase credibility, so users are advised to be cautious of suspicious emails and avoid opening attachments from unknown senders.

Midnight Blizzard, a Russian-backed threat actor linked to the SVR, has employed a novel tactic by using a signed RDP configuration file to breach target devices.

This tactic, coupled with their traditional methods of account compromise and advanced exploitation, has allowed them to expand their access and evade detection. 

The group primarily targets government, diplomatic, NGO, and IT service provider entities in the US and Europe, aiming to collect sensitive intelligence. CERT-UA and Amazon have recently observed activity, highlighting the ongoing threat posed by Midnight Blizzard. 

Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo

Midnight Blizzard, a persistent threat actor, employs diverse tactics to gain initial access, including phishing, credential theft, and supply chain attacks. 

They leverage compromised on-premises environments to infiltrate cloud services and exploit service providers’ trust chains to target downstream customers. The group is known for using AD FS malware like FOGGYWEB and MAGICWEB. 

To launch a highly targeted spear-phishing campaign, it distributed emails disguised as legitimate communications from Microsoft, Amazon Web Services, and Zero Trust initiatives. 

When executed, these emails contained malicious RDP configuration files, which established a bidirectional connection between the victim’s device and an attacker-controlled server. 

This connection granted the attacker extensive access to the victim’s system, including sensitive data, network resources, and the ability to install malware for persistent control.

The victim opened a malicious RDP file, inadvertently establishing an RDP connection to an attacker-controlled server.

This granted the attacker unauthorized access to sensitive system information, including file systems, network drives, peripheral devices, authentication credentials, clipboard data, and POS devices.

Microsoft observed a Midnight Blizzard phishing campaign targeting specific sectors, such as government agencies, education, defense, and NGOs, in several countries, especially the UK, Europe, Australia, and Japan. 

It was a common strategy used in previous Midnight Blizzard attacks, and the emails were sent from email addresses belonging to legitimate organizations that had been compromised.

An analysis of the indicators of compromise (IOCs) reveals a potential phishing campaign targeting organizations with user accounts potentially located in Eastern Europe. 

The email senders include domains impersonating legitimate companies (.co.uk, .com.au) with recipients likely in government, military, and utility sectors (.gov, .mil, .energy). 

Using RDP filenames containing security and compliance keywords, such as AWS, IAM, SDE, and Zero Trust, can conceal the urgency. 

While the remote desktop connection attempts to target geographically relevant AWS cloud domains (ap-northeast-1, eu-central-1, us-east-1), further enhancing the campaign’s credibility. 

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!