Thousands of individuals in public, academic, and defense sectors are being targeted by spear-phishing attacks from the threat group “Midnight Blizzard,” utilizing a new method involving signed RDP configuration files. Microsoft has identified numerous indicators of compromise (IoCs) linked to this activity. Affected: Microsoft, WhoisXML API
Keypoints :
- Midnight Blizzard has been active for decades, now using signed RDP config files to access victims’ devices.
- Microsoft reported 276 subdomains and five domains as IoCs related to these attacks.
- WhoisXML API analyzed these IoCs, identifying 39 domain IoCs with various connected artifacts.
- Significant findings include 18 email-connected domains and 16 IP addresses, with 11 being malicious.
- 69% of the domains were registered in the U.S., with others in multiple countries.
- 57% of the domains resolved to different IP addresses within three days of registration.
- Some domains returned a 403 Forbidden error during accessibility checks.
- Threat reports aim to discover additional artifacts for better threat detection and response.
MITRE Techniques :
- Phishing (T1566) – Spear-phishing emails were used to deliver malicious RDP configuration files.
- Remote Desktop Protocol (RDP) (T1076) – Attackers utilized RDP configuration files to gain unauthorized access.
- Domain Generation Algorithms (DGA) (T1483) – The use of multiple domains and subdomains for malicious activities.
Indicator of Compromise :
- [domain] difesa-it[.]cloud
- [domain] mfa-gov[.]cloud
- [domain] 16 malicious IP addresses
- [domain] 18 email-connected domains
- Check the article for all found IoCs.
Full Research: https://circleid.com/posts/1peering-into-midnight-blizzards-dns-footprint