ioc[.]one - OSINT Cyber Threat Intelligence Database

Understanding and Mitigating Midnight Blizzard's RDP-Based Spearphishing Campaign

Tags

country:	Australia Japan Russia United Kingdom
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Conditional Access Policies - T1556.009 Credential Stuffing - T1110.004 Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Javascript - T1059.007 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Multi-Factor Authentication - T1556.006 Phishing - T1660 Phishing - T1566 Remote Desktop Protocol - T1021.001 Server - T1583.004 Server - T1584.004 Software - T1592.002 Web Services - T1583.006 Web Services - T1584.006 Vulnerabilities - T1588.006 Remote Desktop Protocol - T1076

Show in Graph

Common Information

Type	Value
UUID	a3b120c9-c34a-4be3-9637-86fba4f3c743
Fingerprint	c4790c1bae21cfab
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 1, 2024, 11:28 a.m.
Added to db	Nov. 1, 2024, 1:18 p.m.
Last updated	Nov. 17, 2024, 6:54 p.m.
Headline	Understanding and Mitigating Midnight Blizzard's RDP-Based Spearphishing Campaign
Title	Understanding and Mitigating Midnight Blizzard's RDP-Based Spearphishing Campaign
Detected Hints/Tags/Attributes	104/3/79

Source URLs

	Redirection	Url
Details	Source	https://www.picussecurity.com/resource/blog/understanding-and-mitigating-midnight-blizzards-rdp-based-spearphishing-campaign

URL Provider

Details	Provider	Source level domain
Details	picussecurity.com	www.picussecurity.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	352	✔	Resources-2	https://www.picussecurity.com/resource/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	1	dangerousobject.multi.generic.tc
Details	Domain	1	trojan.win32.cozyduke.tc
Details	Domain	1	win32.cozyduke.tc
Details	Domain	4	trojan.win32.generic.tc
Details	Domain	1	downloader.win32.icebeat.tc
Details	Domain	1	downloader.win32.staticnoise.tc
Details	Domain	1	backdoor.undefined.graphicalproton.tc
Details	Domain	1	backdoor.win32.graphicalproton.tc
Details	Domain	1	trojan.win32.jlorat.tc
Details	Domain	1	downloader.win32.tomiris.tc
Details	Domain	1	generic.win32.generic.tc
Details	Domain	1	phishing.win32.malicious.tc
Details	Domain	1	infostealer.win32.duke.tc
Details	Domain	1	backdoor.win32.wineloader.tc
Details	Domain	1	trojan.win32.cozyduke.gen.tc
Details	Domain	1	dropper.win32.apt29.tc
Details	Domain	1	dropper.win32.apt29.tc.cn
Details	Domain	1	win32.fr
Details	Domain	1	win32.cozer.ae
Details	Domain	1	win32.highconfidence.az
Details	Domain	1	w32.c37c109171-95.sbx.tg
Details	Domain	1	w32.773f010272-95.sbx.tg
Details	Domain	2	w32.tr
Details	Domain	35	w32.auto
Details	Domain	72	aws.amazon.com
Details	Domain	83	cert.gov.ua
Details	File	2	agent.blob
Details	md5	3	a5de73d69c1a7fbae2e71b98d48fe9b5
Details	md5	3	8bcb741a204c25232a11a7084aa2221f
Details	md5	3	86f58115c891ce91b7364e5ff0314b31
Details	md5	3	80b3cad4f70b6ea8924aa13d2730328b
Details	md5	3	c0da30b71d58e071fc5863381444d9f0
Details	md5	3	1595266bb78dc1e3d67f929154824c74
Details	md5	3	222c83d156a41735c38cc552a7084a86
Details	md5	3	fa9af43e9bbb55b7512b369084d91f4d
Details	md5	3	281a28800a4ba744bfde7b4aff46f24e
Details	md5	3	d37cd2c462af0e0643076b20c5ff561e
Details	md5	3	e465a4191a93195094a803e5d4703a90
Details	md5	3	3f753810430b26b94a172fbf816e7d76
Details	md5	3	434ffae8cfc3caa370be2e69ffaa95d1
Details	md5	3	c287c05d91a19796b2649ebebd27394b
Details	md5	3	aabbfd1acd3f3a2212e348f2d6f169fc
Details	md5	3	b0a0ad4093e781a278541e4b01daa7a8
Details	md5	3	a18a1cad9df5b409963601c8e30669e4
Details	md5	3	cbbc4903da831b6f1dc39d0c8d3fc413
Details	md5	3	bd711dc427e17cc724f288cc5c3b0842
Details	md5	3	b38e7e8bba44bc5619b2689024ad9fca
Details	md5	3	40f957b756096fa6b80f95334ba92034
Details	md5	3	db326d934e386059cc56c4e61695128e
Details	md5	3	f58cf55b944f5942f1d120d95140b800
Details	sha256	3	34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a
Details	sha256	3	071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc
Details	sha256	3	6e6680786fa5b023cf301b6bc5faaa89c86dc34b696f4b078cf22b1b353d5d3c
Details	sha256	3	31f2cc1157248aec5135147073e49406d057bebf78b3361dd7cbb6e37708fbcc
Details	sha256	3	88fd6a36e8a61597dd71755b985e5fcd0b8308b69fc0f4b0fc7960fb80018622
Details	sha256	3	b8327671ebc20db6f09efc4f19bd8c39d9e28c9a37bdd15b2fd62ade208d2e8a
Details	sha256	3	a5bbb109faefcecba695a84a737f5e47fa418cea39d654bb512a6f4a0b148758
Details	sha256	3	5534cc837ba4fa3726322883449b3e97ca3e0d28c0ccf468b868397fdfa44e0b
Details	sha256	3	b9ab481e7a9a92cfa2d53de8e7a3c75287cff6a3374f4202ec16ea9e03d80a0b
Details	sha256	3	18a078a976734c9ec562f5dfa3f5904ef5d37000fb8c1f5bd0dc2dee47203bf9
Details	sha256	3	bb4d5a3f7a40c895882b73e1aca8c71ea40cef6c4f6732bec36e6342f6e2487a
Details	sha256	3	ef4bd88ec5e8b401594b22632fd05e401658cf78de681f81409eadf93f412ebd
Details	sha256	3	1cfe29f214d1177b66aec2b0d039fec47dd94c751fa95d34bc5da3bbab02213a
Details	sha256	3	3a2496db64507311f5fbd3aba0228b653f673fc2152a267a1386cbab33798db5
Details	sha256	3	984082823dc1f122a1bb505700c25b27332f54942496814dfd0c68de0eba59dc
Details	sha256	3	383e63f40aecdd508e1790a8b7535e41b06b3f6984bb417218ca96e554b1164b
Details	sha256	3	296d446cb2ad93255c45a2d4b674bbacb6d1581a94cf6bb5e54df5a742502680
Details	sha256	3	129ba064dfd9981575c00419ee9df1c7711679abc974fa4086076ebc3dc964f5
Details	sha256	3	f2acb92d0793d066e9414bc9e0369bd3ffa047b40720fe3bd3f2c0875d17a1cb
Details	sha256	4	f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8
Details	sha256	4	280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0
Details	sha256	4	8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5
Details	sha256	4	ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f40b46242e7092b46
Details	Mandiant Uncategorized Groups	97	UNC2452
Details	Threat Actor Identifier - APT	665	APT29
Details	Threat Actor Identifier - APT	143	APT40
Details	Url	1	https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/.
Details	Url	1	https://aws.amazon.com/blogs/security/amazon-identified-internet-domains-abused-by-apt29/.
Details	Url	1	https://cert.gov.ua/.