Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

Oct. 30, 2024, 11:08 p.m.

Description

On October 22, 2024, Microsoft identified a spear-phishing campaign in which Midnight Blizzard sent phishing emails to thousands of users in over 100 organizations. The emails were highly targeted, using social engineering lures relating to Microsoft, Amazon Web Services (AWS), and the concept of Zero Trust. The emails contained a Remote Desktop Protocol (RDP) configuration file signed with a LetsEncrypt certificate. RDP configuration (.RDP) files summarize automatic settings and resource mappings that are established when a successful connection to an RDP server occurs.

External References

https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
https://otx.alienvault.com/pulse/6722ad6624869775e01cd675
Tags
backdoor
phishing
russia
campaign
rdp
2024-10-30
remote desktop
apt29
midnight blizzard
unc2452
cozy bear
hustlecon

Date

  • Created: Oct. 30, 2024, 10:04 p.m.
  • Published: Oct. 30, 2024, 10:04 p.m.
  • Modified: Oct. 30, 2024, 11:08 p.m.

Indicators

  • us-west-2.ua-sec.cloud
  • us-west-2.ua-energy.cloud
  • us-west-2.gov-ua.cloud
  • us-west-2-aws.ua-energy.cloud
  • us-west-2-aws.s3-ua.cloud
  • us-west-2-aws.mfa-gov.cloud
  • us-west-1.ukrtelecom.cloud
  • us-west-1.ua-gov.cloud
  • us-west-1.ua-energy.cloud
  • us-west-1.aws-ukraine.cloud
  • us-west-1-aws.gov-ua.cloud
  • us-west-1-amazon.ua-sec.cloud
  • us-west-1-amazon.ua-mil.cloud
  • us-west-1-amazon.ua-energy.cloud
  • us-east-console.ua-energy.cloud
  • us-east-2.ukrainesec.cloud
  • us-east-console.aws-ukraine.cloud
  • us-east-2.ua-sec.cloud
  • us-east-2.gov-ua.cloud
  • us-east-2.aws-ukraine.cloud
  • us-east-2-aws.ukrtelecom.cloud
  • us-east-2-aws.ua-gov.cloud
  • us-east-2-aws.gov-ua.cloud
  • us-east-1-aws.ua-sec.cloud
  • us-east-1-aws.ua-gov.cloud
  • us-east-1-aws.mfa-gov.cloud
  • us-east-1-aws.s3-ua.cloud
  • eu-west-3.ukrainesec.cloud
  • eu-west-3.ukrtelecom.cloud
  • eu-west-3.s3-ua.cloud
  • eu-west-3.s3-be.cloud
  • eu-west-3.mzv-sk.cloud
  • eu-west-3.presidencia-pt.cloud
  • eu-west-3.msz-pl.cloud
  • eu-west-3.mindef-nl.cloud
  • eu-west-3.minbuza.cloud
  • eu-west-3.mil-pl.cloud
  • eu-west-3.mil-be.cloud
  • eu-west-3.aws-ukraine.cloud
  • eu-west-3.amazonsolutions.cloud
  • eu-west-3-aws.ua-mil.cloud
  • eu-west-3-aws.s3-ua.cloud
  • eu-west-3-aws.s3-be.cloud
  • eu-west-3-aws.regeringskansliet-se.cloud
  • eu-west-3-aws.quirinale.cloud
  • eu-west-3-aws.mzv-sk.cloud
  • eu-west-3-aws.msz-pl.cloud
  • eu-west-3-aws.mindef-nl.cloud
  • eu-west-3-aws.minbuza.cloud
  • eu-west-3-aws.mil-pt.cloud
  • eu-west-3-aws.mil-pl.cloud
  • eu-west-3-aws.mil-be.cloud
  • eu-west-3-aws.gov-trust.cloud
  • eu-west-3-aws.gov-sk.cloud
  • eu-west-3-aws.gov-pl.cloud
  • eu-west-3-aws.difesa-it.cloud
  • eu-west-3-aws.dep-no.cloud
  • eu-west-2-aws.ua-sec.cloud
  • eu-west-3-aws.aws-ukraine.cloud
  • eu-west-2-aws.s3-ua.cloud
  • eu-west-2-aws.s3-nato.cloud
  • eu-west-2-aws.s3-esa.cloud
  • eu-west-2-aws.s3-de.cloud
  • eu-west-2-aws.s3-be.cloud
  • eu-west-2-aws.quirinale.cloud
  • eu-west-2-aws.mzv-sk.cloud
  • eu-west-2-aws.mindef-nl.cloud
  • eu-west-2-aws.msz-pl.cloud
  • eu-west-2-aws.minbuza.cloud
  • eu-west-2-aws.mil-be.cloud
  • eu-west-2-aws.mil-pl.cloud
  • eu-west-2-aws.gv-at.cloud
  • eu-west-2-aws.gov-sk.cloud
  • eu-west-2-aws.gov-pl.cloud
  • eu-west-2-aws.difesa-it.cloud
  • eu-west-2-aws.dep-no.cloud
  • eu-west-2-aws.amazonsolutions.cloud
  • eu-west-1.ukrtelecom.cloud
  • eu-west-1.s3-ua.cloud
  • eu-west-1.ua-gov.cloud
  • eu-west-1.s3-esa.cloud
  • eu-west-1.s3-de.cloud
  • eu-west-1.mzv-sk.cloud
  • eu-west-1.regeringskansliet-se.cloud
  • eu-west-1.msz-pl.cloud
  • eu-west-1.minbuza.cloud
  • eu-west-1.mil-pl.cloud
  • eu-west-1.gov-sk.cloud
  • eu-west-1.mil-be.cloud
  • eu-west-1.difesa-it.cloud
  • eu-west-1.aws-ukraine.cloud
  • eu-west-1-aws.ukrainesec.cloud
  • eu-west-1-aws.ua-sec.cloud
  • eu-west-1-aws.s3-nato.cloud
  • eu-west-1-aws.s3-esa.cloud
  • eu-west-1-aws.s3-de.cloud
  • eu-west-1-aws.s3-be.cloud
  • eu-west-1-aws.quirinale.cloud
  • eu-west-1-aws.mil-pl.cloud
  • eu-west-1-aws.minbuza.cloud
  • eu-west-1-aws.mil-be.cloud
  • eu-west-1-aws.gov-ua.cloud
  • eu-west-1-aws.gov-trust.cloud
  • eu-west-1-aws.gov-sk.cloud
  • eu-west-1-aws.gov-pl.cloud
  • eu-west-1-aws.aws-ukraine.cloud
  • eu-west-1-aws.dep-no.cloud
  • eu-west-1-aws.amazonsolutions.cloud
  • eu-southeast-1-aws.ukrainesec.cloud
  • eu-southeast-1-aws.ua-energy.cloud
  • eu-southeast-1-aws.s3-ua.cloud
  • eu-southeast-1-aws.s3-esa.cloud
  • eu-southeast-1-aws.s3-de.cloud
  • eu-southeast-1-aws.s3-be.cloud
  • eu-southeast-1-aws.quirinale.cloud
  • eu-southeast-1-aws.mzv-sk.cloud
  • eu-southeast-1-aws.mzv-cz.cloud
  • eu-southeast-1-aws.msz-pl.cloud
  • eu-southeast-1-aws.mindef-nl.cloud
  • eu-southeast-1-aws.mil-be.cloud
  • eu-southeast-1-aws.mil-pl.cloud
  • eu-southeast-1-aws.gov-trust.cloud
  • eu-southeast-1-aws.gov-sk.cloud
  • eu-southeast-1-aws.difesa-it.cloud
  • eu-southeast-1-aws.amazonsolutions.cloud
  • eu-southeast-1-aws.dep-no.cloud
  • eu-southeast-1-aws.aws-ukraine.cloud
  • eu-south-2.ukrainesec.cloud
  • eu-south-2.ua-sec.cloud
  • eu-south-2.s3-nato.cloud
  • eu-south-2.s3-de.cloud
  • eu-south-2.s3-esa.cloud
  • eu-south-2.s3-be.cloud
  • eu-south-2.mindef-nl.cloud
  • eu-south-2.mil-be.cloud
  • eu-south-2.mil-pl.cloud
  • eu-south-2.gov-pl.cloud
  • eu-south-2.gov-sk.cloud
  • eu-south-2.dep-no.cloud
  • eu-south-2-aws.s3-ua.cloud
  • eu-south-2-aws.ua-gov.cloud
  • eu-south-2-aws.s3-nato.cloud
  • eu-south-2-aws.s3-esa.cloud
  • eu-south-2-aws.s3-de.cloud
  • eu-south-2-aws.s3-be.cloud
  • eu-south-2-aws.quirinale.cloud
  • eu-south-2-aws.regeringskansliet-se.cloud
  • eu-south-2-aws.ncfta.cloud
  • eu-south-2-aws.mzv-sk.cloud
  • eu-south-2-aws.msz-pl.cloud
  • eu-south-2-aws.minbuza.cloud
  • eu-south-2-aws.mil-be.cloud
  • eu-south-2-aws.mil-pt.cloud
  • eu-south-2-aws.mil-pl.cloud
  • eu-south-2-aws.gov-sk.cloud
  • eu-south-2-aws.mfa-gov.cloud
  • eu-south-2-aws.gov-pl.cloud
  • eu-south-2-aws.dep-no.cloud
  • eu-south-2-aws.amazonsolutions.cloud
  • eu-south-1-aws.ua-gov.cloud
  • eu-south-1-aws.s3-de.cloud
  • eu-south-1-aws.s3-be.cloud
  • eu-south-1-aws.quirinale.cloud
  • eu-south-1-aws.mzv-sk.cloud
  • eu-south-1-aws.minbuza.cloud
  • eu-south-1-aws.mil-be.cloud
  • eu-south-1-aws.mfa-gov.cloud
  • eu-south-1-aws.gov-trust.cloud
  • eu-south-1-aws.gov-pl.cloud
  • eu-south-1-aws.difesa-it.cloud
  • eu-south-1-aws.dep-no.cloud
  • eu-south-1-aws.admin-ch.cloud
  • eu-north-1.s3-ua.cloud
  • eu-north-1.s3-de.cloud
  • eu-north-1.s3-be.cloud
  • eu-north-1.regeringskansliet-se.cloud
  • eu-north-1.ncfta.cloud
  • eu-north-1.mil-pl.cloud
  • eu-north-1.mzv-sk.cloud
  • eu-north-1.mil-be.cloud
  • eu-north-1.gv-at.cloud
  • eu-north-1.gov-ua.cloud
  • eu-north-1.gov-trust.cloud
  • eu-north-1.difesa-it.cloud
  • eu-north-1-aws.ua-gov.cloud
  • eu-north-1-aws.ua-energy.cloud
  • eu-north-1-aws.s3-de.cloud
  • eu-north-1-aws.s3-be.cloud
  • eu-north-1-aws.regeringskansliet-se.cloud
  • eu-north-1-aws.quirinale.cloud
  • eu-north-1-aws.presidencia-pt.cloud
  • eu-north-1-aws.minbuza.cloud
  • eu-north-1-aws.ncfta.cloud
  • eu-north-1-aws.mil-pl.cloud
  • eu-north-1-aws.mil-be.cloud
  • eu-north-1-aws.gov-sk.cloud
  • eu-north-1-aws.gov-pl.cloud
  • eu-north-1-aws.dep-no.cloud
  • eu-north-1-aws.difesa-it.cloud
  • eu-east-1-aws.ukrtelecom.cloud
  • eu-east-1-aws.s3-de.cloud
  • eu-east-1-aws.ua-sec.cloud
  • eu-east-1-aws.ua-gov.cloud
  • eu-east-1-aws.s3-be.cloud
  • eu-east-1-aws.quirinale.cloud
  • eu-east-1-aws.regeringskansliet-se.cloud
  • eu-east-1-aws.msz-pl.cloud
  • eu-east-1-aws.mzv-sk.cloud
  • eu-east-1-aws.mindef-nl.cloud
  • eu-east-1-aws.minbuza.cloud
  • eu-east-1-aws.mil-pl.cloud
  • eu-east-1-aws.mil-be.cloud
  • eu-east-1-aws.gov-sk.cloud
  • eu-east-1-aws.gov-ua.cloud
  • eu-east-1-aws.dep-no.cloud
  • eu-central-2-aws.ukrtelecom.cloud
  • eu-east-1-aws.amazonsolutions.cloud
  • eu-central-2-aws.ua-mil.cloud
  • eu-central-2-aws.s3-be.cloud
  • eu-central-2-aws.regeringskansliet-se.cloud
  • eu-central-2-aws.ua-gov.cloud
  • eu-central-2-aws.presidencia-pt.cloud
  • eu-central-2-aws.mzv-sk.cloud
  • eu-central-2-aws.msz-pl.cloud
  • eu-central-2-aws.mindef-nl.cloud
  • eu-central-2-aws.mil-pl.cloud
  • eu-central-2-aws.mil-be.cloud
  • eu-central-2-aws.gov-sk.cloud
  • eu-central-2-aws.gov-pl.cloud
  • eu-central-2-aws.dep-no.cloud
  • eu-central-2-aws.aws-ukraine.cloud
  • eu-central-2-aws.amazonsolutions.cloud
  • eu-central-1.ua-gov.cloud
  • eu-central-1.ukrtelecom.cloud
  • eu-central-1.ua-sec.cloud
  • eu-central-1.s3-nato.cloud
  • eu-central-1.s3-be.cloud
  • eu-central-1.s3-esa.cloud
  • eu-central-1.regeringskansliet-se.cloud
  • eu-central-1.quirinale.cloud
  • eu-central-1.msz-pl.cloud
  • eu-central-1.mindef-nl.cloud
  • eu-central-1.minbuza.cloud
  • eu-central-1.mil-pl.cloud
  • eu-central-1.mil-be.cloud
  • eu-central-1.mfa-gov.cloud
  • eu-central-1-aws.ukrainesec.cloud
  • eu-central-1.difesa-it.cloud
  • eu-central-1-aws.ua-gov.cloud
  • eu-central-1-aws.s3-ua.cloud
  • eu-central-1-aws.s3-be.cloud
  • eu-central-1-aws.regeringskansliet-se.cloud
  • eu-central-1-aws.ncfta.cloud
  • eu-central-1-aws.quirinale.cloud
  • eu-central-1-aws.presidencia-pt.cloud
  • eu-central-1-aws.mzv-sk.cloud
  • eu-central-1-aws.mindef-nl.cloud
  • eu-central-1-aws.msz-pl.cloud
  • eu-central-1-aws.minbuza.cloud
  • eu-central-1-aws.gov-trust.cloud
  • eu-central-1-aws.mfa-gov.cloud
  • eu-central-1-aws.gov-sk.cloud
  • eu-central-1-aws.gov-pl.cloud
  • eu-central-1-aws.amazonsolutions.cloud
  • eu-central-1-aws.dep-no.cloud
  • central-2-aws.ukrtelecom.cloud
  • central-2-aws.ukrainesec.cloud
  • central-2-aws.ua-sec.cloud
  • central-2-aws.ua-mil.cloud
  • ca-west-1.mfa-gov.cloud
  • ca-west-1.ukrtelecom.cloud
  • ca-west-1.aws-ukraine.cloud
  • ca-central-1.ua-gov.cloud
  • ca-central-1.gov-ua.cloud
  • ap-northeast-1-aws.ukrainesec.cloud
  • ap-northeast-1-aws.s3-ua.cloud
  • totalconstruction.com.au
  • townoflakelure.com
  • swpartners.com.au
  • cewalton.com
  • sellar.co.uk
Download all indicators here!

Attack Patterns

  • HustleCon
  • Midnight Blizzard
  • T1115
  • T1199
  • T1021
  • T1176
  • T1566