|
Thousands of people working for organizations in the public, academia, and defense sectors are being targeted by spear-phishing attacks operated by a threat group called “Midnight Blizzard.” The messages contained a Remote Desktop Protocol (RDP) configuration file connected to the malicious actor’s server.
Midnight Blizzard has been active for decades now, but using a signed RDP config file to gain access to a victim’s device is a new vector, according to Microsoft, which also published a list of indicators of compromise (IoCs) comprising 276 subdomains and five domains. From this list, the WhoisXML API research team analyzed and expanded a total of 39 domain IoCs (including 34 domains extracted from the subdomains tagged as IoCs), leading to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
To learn more about the attributes of the 39 domain IoCs, we ran them on Bulk WHOIS Lookup, which revealed that:
A total of 34 out of the 39 domain IoCs were registered no earlier than August 2024, while one each was created in 1999, 2002, and 2005, respectively. Two domains did not have current WHOIS creation dates.
A total of 69% of the domains were registered in the U.S., while the rest were registered in seven other countries, namely, Australia, the U.K., France, Canada, Thailand, Austria, and Germany. Three domains did not have current registrant country data.
Next, we queried the 39 domains tagged as IoCs on DNS Chronicle API to see their earliest IP resolution dates and mobilization timeline.
Excluding the two domains that did not have current creation dates, we found that about 57%, 21 to be exact, immediately resolved to different IP addresses within three days upon registration, 1 resolved 10—30 days from the day it was registered, and 9 domains resolved 30 days or beyond after their registration dates. Meanwhile, 6 domains did not have recorded historical IP resolutions. Below are some examples.
DOMAIN IoC | DOMAIN REGISTRATION DATE | RESOLUTION START DATE | REGISTRATION-TO-RESOLUTION TIMELINE(DAYS) |
---|---|---|---|
difesa-it[.]cloud | 22 August 2024 | 22 August 2024 | 0 |
mfa-gov[.]cloud | 15 August 2024 | 31 August 2024 | 16 |
gov-ua[.]cloud | 15 August 2024 | 29 September 2024 | 45 |
In total, the 39 domains tagged as IoCs resolved to 47 unique IP addresses from the time they were registered until their most recent resolution dates.
We also queried the 39 domains tagged as IoCs on Screenshot API and found that five remained accessible, while eight returned a 403 Forbidden error.
Among the goals of our threat reports is to discover additional threat artifacts. As our usual first step, we queried the 39 domains tagged as IoCs on WHOIS History API, which returned 11 email addresses from their historical WHOIS records. Only five of these email addresses were public.
Querying the five public email addresses on Reverse WHOIS API gave us 18 email-connected domains after duplicates and the IoCs were filtered out.
We then ran the 39 domain IoCs on DNS Lookup API and found that 16 of them resolved to 16 unique IP addresses, 11 of which were malicious according to Threat Intelligence API. All 11 malicious IP addresses were associated with malware distribution.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API