Hacker group Midnight Blizzard hijacks RDP proxies to launch malware attacks
- Trend Micro spots an advanced spearphishing campaign targeting military and government targets
- It uses nearly 200 RDP proxies to access endpoints
- The total number of victims is in the hundreds
AN advanced persistent threat known as Midnight Blizzard has launched a large-scale spearphishing attack that targeted governments, military organizations and academic researchers in the West.
The group used red team methodologies and anonymization tools while exfiltrating sensitive data from their target’s IT infrastructure, cybersecurity researchers at Trend Micro have revealed.
In a report, researchers said the group used a rogue Remote Desktop Protocol (RDP) and a Python-based tool called PyRDP. The attack starts with a spearphishing email containing a malicious RDP configuration file. When the victim runs it, it connects to an RDP server controlled by the attacker.
On the Russian payroll
The campaign used 34 rogue RDP backend servers in combination with 193 proxy servers to redirect victims’ connections and mask the attackers’ activities.
Once the victim connects, the crooks use PyRDP to intercept the connection, acting as a man-in-the-middle (MitM). Then, with access to target endpoints, the attackers could browse files, exfiltrate sensitive data, and more.
While the total number of victims throughout the campaign is unclear, Trend Micro says approximately 200 high-profile victims were targeted in a single day when the campaign was at its peak, in late October 2024.
The victims included government and military organizations, think tanks and academic researchers, entities related to the Ukrainian government, a cloud service provider and entities associated with the Dutch Ministry of Foreign Affairs.
Most are located in Europe, the United States, Japan, Ukraine and Australia.
To put things into more context, it’s worth noting that Midnight Blizzard is also known as APT29, Earth Koschchei, or Cozy Bear. It is a sophisticated, sophisticated, persistent threat group sponsored by the Russian government and under the direct control of the Russian Foreign Intelligence Service (SVR). It is known for conducting cyber espionage campaigns, mainly in Western countries.
Via BleepingComputer