π― Midnight Blizzard's RDP Spear-Phishing Campaign: A Deep Dive
π― Midnight Blizzard's RDP Spear-Phishing Campaign: A Deep Dive
CyberHawk Consultancy
π₯ Summary of the Threat
In October 2024, Microsoft Threat Intelligence uncovered a sophisticated and large-scale spear-phishing campaign by the Russian state-sponsored group Midnight Blizzard (also known as APT29/NOBELIUM).
Their unique weapon of choice? Malicious RDP files — cleverly engineered to establish live remote sessions with attacker-controlled infrastructure.
π ️ How the Attack Works
Unlike traditional payloads, these attacks used signed RDP configuration files attached to phishing emails. When a user clicked the RDP file:
- π It initiated a remote session directly with Midnight Blizzard-controlled infrastructure.
- π Exploited legitimate RDP capabilities to:
- π Access local files and directories
- π¨️ Enumerate peripherals (smartcards, printers, webcams)
- π Capture clipboard contents
- π Steal authentication tokens (Windows Hello, Passkeys)
- π Interact with Point of Sale (POS) devices
π These .rdp files were signed using valid certificates to evade detection, and disguised as coming from Microsoft or cloud providers.
π Targeted Sectors & Geography
- π️ Government Agencies
- π« Academic Institutions
- π‘️ Defense Contractors
- π NGOs and Think Tanks
π Geographically, the campaign focused on:
- π¬π§ United Kingdom
- π―π΅ Japan
- πͺπΊ Europe
- π¦πΊ Australia
π Detection Strategies
- π‘️ Microsoft Defender for Office 365: Scans attachments for known malicious .rdp patterns.
- ⚙️ RDP File Parser Tool: Identifies suspicious config parameters in RDP files.
- π Defender Alerts: Look for alert titles like
Trojan_RDP*. - π Hunting Queries: Custom queries to detect RDP connections initiated via email attachments.
π΅️♂️ Microsoft Sentinel Detections (KQL)
Below are ready-to-use Microsoft Sentinel KQL queries to help hunt and detect Midnight Blizzard's RDP spear-phishing campaign. Use these in Sentinel’s Logs section or integrate into your analytic rules.
1️⃣ RDP File Opened from Email Attachment
EmailEvents
| where Attachments has ".rdp"
| project TimeGenerated, SenderFromAddress, Subject, Attachments, NetworkMessageId
2️⃣ Suspicious RDP Client Connection
DeviceNetworkEvents
| where RemotePort == 3389
| where RemoteIPCountry in ("Russia", "Unknown")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
3️⃣ Unusual RDP Parameters in .rdp Files
DeviceFileEvents
| where FileName endswith ".rdp"
| where FileContent contains "full address:s:" or FileContent contains "loadbalanceinfo:s:"
| project TimeGenerated, FileName, FolderPath, InitiatingProcessAccountName
4️⃣ Suspicious Process Activity Related to RDP Launch
DeviceProcessEvents
| where FileName in ("mstsc.exe", "RDCMan.exe")
| where InitiatingProcessFileName endswith ".rdp"
| project TimeGenerated, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
5️⃣ Credential Theft Indicators
DeviceLogonEvents
| where LogonType == 10 and AccountType == "User"
| where RemoteDeviceName has_any ("mfa", "auth", "secure", "vpn")
| project TimeGenerated, AccountName, RemoteDeviceName, LogonType
6️⃣ Detected Known Threat Pattern (Microsoft Defender)
SecurityAlert
| where AlertName startswith "Trojan_RDP"
| project TimeGenerated, AlertName, Description, Computer, ExtendedProperties
7️⃣ External RDP Connections from Non-Jump Servers
Heartbeat
| where RemoteIP != "" and RemotePort == 3389
| where DeviceType != "JumpHost"
| summarize count() by Computer, RemoteIP
π‘ Bonus Tip: Use Watchlists
π― Add known malicious IPs and RDP hash IOCs to a Sentinel watchlist and reference it in analytic rules or workbook queries for proactive defense.
π§° Mitigation Recommendations
π₯️ Endpoint Protection
- π Enable Tamper Protection & Network Protection in Defender
- π« Activate EDR in Block Mode to stop post-execution threats
- π§ Use Automated Investigation & Remediation
π§ Email Security
- π§Ό Enable Safe Links and Safe Attachments in Microsoft 365
- ♻️ Use Zero-Hour Auto Purge (ZAP) to retroactively clean threats
π Web Browsing Security
- π§ Use browsers with SmartScreen (e.g., Microsoft Edge)
π§ User Awareness
- ❗ Train staff not to open unknown RDP files
- ✔️ Verify legitimacy of senders, especially those claiming to be from Microsoft or cloud providers
π¨ IOC-Based Detection (Example)
File Extension: .rdp
Remote Addresses: *.onmicrosoft.com (used by APT29 for infrastructure)
Common File Names:
- SecureAccess.rdp
- InviteToCall.rdp
- MFA_Connection.rdp
Suspicious RDP Parameters:
- full address:s:
- loadbalanceinfo:s:
- username:s:admin
π Final Thoughts
This campaign marks an evolution in spear-phishing tradecraft — combining legitimate remote desktop tools with advanced social engineering and credential theft.
By proactively hunting and defending against these novel attack vectors, organizations can stay ahead of nation-state adversaries like Midnight Blizzard.
π‘ Pro Tip: Disable automatic opening of RDP files via Group Policy in enterprise environments to reduce risk exposure.
π Sources & References
π¦
CyberHawk Consultancy | They can't exploit you if you are the exploit.
Comments
Post a Comment