NordVPN Promotion

Home / Industry

Peering Into Midnight Blizzard’s DNS Footprint

Thousands of people working for organizations in the public, academia, and defense sectors are being targeted by spear-phishing attacks operated by a threat group called “Midnight Blizzard.” The messages contained a Remote Desktop Protocol (RDP) configuration file connected to the malicious actor’s server.

Midnight Blizzard has been active for decades now, but using a signed RDP config file to gain access to a victim’s device is a new vector, according to Microsoft, which also published a list of indicators of compromise (IoCs) comprising 276 subdomains and five domains. From this list, the WhoisXML API research team analyzed and expanded a total of 39 domain IoCs (including 34 domains extracted from the subdomains tagged as IoCs), leading to the discovery of:

  • 18 email-connected domains
  • 16 IP addresses, 11 of which turned out to be malicious
  • 20 IP-connected domains, one of which turned out to be malicious
  • 106 string-connected domains, six of which turned out to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the Midnight Blizzard IoCs

To learn more about the attributes of the 39 domain IoCs, we ran them on Bulk WHOIS Lookup, which revealed that:

  • 13 registrars administered the domains with NameSilo taking the lead (10 domains). It was followed by eNom and Hostinger with six domains each; OwnRegistrar with five domains; Public Domain Registry, Registrar.eu, and Synergy Wholesale Accreditations with two domains each; Network Solutions, 1API GmbH, Tucows Domains, Web Commerce Communications, Zen Internet Limited, and DNC Holdings with one domain each.
  • A total of 34 out of the 39 domain IoCs were registered no earlier than August 2024, while one each was created in 1999, 2002, and 2005, respectively. Two domains did not have current WHOIS creation dates.

  • A total of 69% of the domains were registered in the U.S., while the rest were registered in seven other countries, namely, Australia, the U.K., France, Canada, Thailand, Austria, and Germany. Three domains did not have current registrant country data.

Next, we queried the 39 domains tagged as IoCs on DNS Chronicle API to see their earliest IP resolution dates and mobilization timeline.

Excluding the two domains that did not have current creation dates, we found that about 57%, 21 to be exact, immediately resolved to different IP addresses within three days upon registration, 1 resolved 10—30 days from the day it was registered, and 9 domains resolved 30 days or beyond after their registration dates. Meanwhile, 6 domains did not have recorded historical IP resolutions. Below are some examples.

DOMAIN IoCDOMAIN REGISTRATION DATERESOLUTION START DATEREGISTRATION-TO-RESOLUTION TIMELINE(DAYS)
difesa-it[.]cloud22 August 202422 August 20240
mfa-gov[.]cloud15 August 202431 August 202416
gov-ua[.]cloud15 August 202429 September 202445

In total, the 39 domains tagged as IoCs resolved to 47 unique IP addresses from the time they were registered until their most recent resolution dates.

We also queried the 39 domains tagged as IoCs on Screenshot API and found that five remained accessible, while eight returned a 403 Forbidden error.

Midnight Blizzard IoC Expansion Analysis Findings

Among the goals of our threat reports is to discover additional threat artifacts. As our usual first step, we queried the 39 domains tagged as IoCs on WHOIS History API, which returned 11 email addresses from their historical WHOIS records. Only five of these email addresses were public.

Querying the five public email addresses on Reverse WHOIS API gave us 18 email-connected domains after duplicates and the IoCs were filtered out.

We then ran the 39 domain IoCs on DNS Lookup API and found that 16 of them resolved to 16 unique IP addresses, 11 of which were malicious according to Threat Intelligence API. All 11 malicious IP addresses were associated with malware distribution.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

NordVPN Promotion