๐ฏ Midnight Blizzard's RDP Spear-Phishing Campaign: A Deep Dive
๐ฏ Midnight Blizzard's RDP Spear-Phishing Campaign: A Deep Dive
CyberHawk Consultancy
๐ฅ Summary of the Threat
In October 2024, Microsoft Threat Intelligence uncovered a sophisticated and large-scale spear-phishing campaign by the Russian state-sponsored group Midnight Blizzard (also known as APT29/NOBELIUM).
Their unique weapon of choice? Malicious RDP files — cleverly engineered to establish live remote sessions with attacker-controlled infrastructure.
๐ ️ How the Attack Works
Unlike traditional payloads, these attacks used signed RDP configuration files attached to phishing emails. When a user clicked the RDP file:
- ๐ It initiated a remote session directly with Midnight Blizzard-controlled infrastructure.
- ๐ Exploited legitimate RDP capabilities to:
- ๐ Access local files and directories
- ๐จ️ Enumerate peripherals (smartcards, printers, webcams)
- ๐ Capture clipboard contents
- ๐ Steal authentication tokens (Windows Hello, Passkeys)
- ๐ Interact with Point of Sale (POS) devices
๐ These .rdp files were signed using valid certificates to evade detection, and disguised as coming from Microsoft or cloud providers.
๐ Targeted Sectors & Geography
- ๐️ Government Agencies
- ๐ซ Academic Institutions
- ๐ก️ Defense Contractors
- ๐ NGOs and Think Tanks
๐ Geographically, the campaign focused on:
- ๐ฌ๐ง United Kingdom
- ๐ฏ๐ต Japan
- ๐ช๐บ Europe
- ๐ฆ๐บ Australia
๐ Detection Strategies
- ๐ก️ Microsoft Defender for Office 365: Scans attachments for known malicious .rdp patterns.
- ⚙️ RDP File Parser Tool: Identifies suspicious config parameters in RDP files.
- ๐ Defender Alerts: Look for alert titles like
Trojan_RDP*. - ๐ Hunting Queries: Custom queries to detect RDP connections initiated via email attachments.
๐ต️♂️ Microsoft Sentinel Detections (KQL)
Below are ready-to-use Microsoft Sentinel KQL queries to help hunt and detect Midnight Blizzard's RDP spear-phishing campaign. Use these in Sentinel’s Logs section or integrate into your analytic rules.
1️⃣ RDP File Opened from Email Attachment
EmailEvents
| where Attachments has ".rdp"
| project TimeGenerated, SenderFromAddress, Subject, Attachments, NetworkMessageId
2️⃣ Suspicious RDP Client Connection
DeviceNetworkEvents
| where RemotePort == 3389
| where RemoteIPCountry in ("Russia", "Unknown")
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
3️⃣ Unusual RDP Parameters in .rdp Files
DeviceFileEvents
| where FileName endswith ".rdp"
| where FileContent contains "full address:s:" or FileContent contains "loadbalanceinfo:s:"
| project TimeGenerated, FileName, FolderPath, InitiatingProcessAccountName
4️⃣ Suspicious Process Activity Related to RDP Launch
DeviceProcessEvents
| where FileName in ("mstsc.exe", "RDCMan.exe")
| where InitiatingProcessFileName endswith ".rdp"
| project TimeGenerated, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine
5️⃣ Credential Theft Indicators
DeviceLogonEvents
| where LogonType == 10 and AccountType == "User"
| where RemoteDeviceName has_any ("mfa", "auth", "secure", "vpn")
| project TimeGenerated, AccountName, RemoteDeviceName, LogonType
6️⃣ Detected Known Threat Pattern (Microsoft Defender)
SecurityAlert
| where AlertName startswith "Trojan_RDP"
| project TimeGenerated, AlertName, Description, Computer, ExtendedProperties
7️⃣ External RDP Connections from Non-Jump Servers
Heartbeat
| where RemoteIP != "" and RemotePort == 3389
| where DeviceType != "JumpHost"
| summarize count() by Computer, RemoteIP
๐ก Bonus Tip: Use Watchlists
๐ฏ Add known malicious IPs and RDP hash IOCs to a Sentinel watchlist and reference it in analytic rules or workbook queries for proactive defense.
๐งฐ Mitigation Recommendations
๐ฅ️ Endpoint Protection
- ๐ Enable Tamper Protection & Network Protection in Defender
- ๐ซ Activate EDR in Block Mode to stop post-execution threats
- ๐ง Use Automated Investigation & Remediation
๐ง Email Security
- ๐งผ Enable Safe Links and Safe Attachments in Microsoft 365
- ♻️ Use Zero-Hour Auto Purge (ZAP) to retroactively clean threats
๐ Web Browsing Security
- ๐งญ Use browsers with SmartScreen (e.g., Microsoft Edge)
๐ง User Awareness
- ❗ Train staff not to open unknown RDP files
- ✔️ Verify legitimacy of senders, especially those claiming to be from Microsoft or cloud providers
๐จ IOC-Based Detection (Example)
File Extension: .rdp
Remote Addresses: *.onmicrosoft.com (used by APT29 for infrastructure)
Common File Names:
- SecureAccess.rdp
- InviteToCall.rdp
- MFA_Connection.rdp
Suspicious RDP Parameters:
- full address:s:
- loadbalanceinfo:s:
- username:s:admin
๐ Final Thoughts
This campaign marks an evolution in spear-phishing tradecraft — combining legitimate remote desktop tools with advanced social engineering and credential theft.
By proactively hunting and defending against these novel attack vectors, organizations can stay ahead of nation-state adversaries like Midnight Blizzard.
๐ก Pro Tip: Disable automatic opening of RDP files via Group Policy in enterprise environments to reduce risk exposure.
๐ Sources & References
๐ฆ
CyberHawk Consultancy | They can't exploit you if you are the exploit.
Comments
Post a Comment