New Midnight Blizzard Campaign Uses RDP Files to Gain Access

Microsoft researchers have identified a new spear-phishing campaign by Russian threat actor Midnight Blizzard that is targeting a wide range of organizations in dozens of countries, with the goal of collecting sensitive information of use by the group’s task master, the Russian SVR. The campaign is quite recent and ongoing and Microsoft’s threat intel team identified thousands of targets in more than 100 organizations. 

Why It Matters: Midnight Blizzard is attributed to Russia’s powerful Foreign Intelligence Service (SVR) and is known for its interest in targeting government agencies, NGOs, academic institutions, and technology providers, mainly in Europe and the U.S. The group is extremely well-resourced and technically adept and has proven to be quite capable of infiltrating high-value targets. Spear phishing campaigns may be commonplace, but they can be effective, especially with a highly tailored lure. 

Key Details:

• Microsoft identified the campaign on Oct. 22 and said it is still ongoing. 

• The campaign utilizes a signed RDP configuration file as the malicious attachment and uses highly targeted lure emails that include content related to Microsoft Azure, Zero Trust architecture, and Amazon Web Services. 

• If a victim opens the malicious RDP config file, it establishes a connection to the attacker’s remote server and sends information about the victim’s machine, including “all logical hard disks, clipboard contents, printers, connected peripheral devices, audio, and authentication features and facilities of the Windows operating system, including smart cards”.

• The RDP connection enables the attackers to install malware or other apps on the target machine

• This is the first documented example of Midnight Blizzard using malicious RDP config files as part of one of its campaigns

This campaign abused email accounts that the attackers had compromised in previous campaigns in order to send the phishing emails. 

“Microsoft has observed this campaign targeting governmental agencies, higher education, defense, and non-governmental organizations in dozens of countries, but particularly in the United Kingdom, Europe, Australia, and Japan. This target set is consistent with other Midnight Blizzard phishing campaigns,” the Microsoft analysis said. 

Midnight Blizzard is among the more adept and persistent APT teams on the landscape and its use of malicious RDP configuration files as an initial access method shows that the group is consistently evolving and adapting its methods.