Midnight Blizzard launched a spear-phishing campaign to distribute malicious RDP files. Are you familiar with the signature identified by Microsoft Defender for this campaign ? Additionally, do you know the number of well-known RDP files, number of the sender domain, and the APT designation associated with Midnight Blizzard ?
CYBERGON_CTF2024{Signature_XX_XX_APTXX}
Breaking the question into small parts, we have:
Are you familiar with the signature identified by Microsoft Defender for this campaign ?
From the website mentioned at the start of this blog, I found this:
The signature therefore seems to be: Backdoor:Script/HustleCon.A
Do you know the number of well-known RDP files?
I also found the list of RDP files as shown below:
Counting from what has been listed here, we have a total of: 15
Number of the sender domain?
I could also find the sender domains as shown below:We can count upto: 5
The APT designation associated with Midnight Blizzard?
Looking at the Mitre ATT&CK framework
With what I have collected so far, the flag construction looks like this:
CYBERGON_CTF2024{Backdoor:Script/HustleCon.A_15_05_APT29}
Flag Format - CYBERGON_CTF2024{YYYY:MM:DD:HH:MM:SS}
We were given this file. I first tried to look at the contents of the document and try to get the expiration date which was there, but then I couldn’t see the specific time. So I tried to default to 00:00:00 When I submitted the flag, it failed and now I was just left with just one attempt. I therefore consulted with my friend chatGPT and he gave me this command that helped me retrieve the exact details I needed:
