The notorious Russian advanced persistent threat group APT28 is the latest in a growing number of attackers trying to exploit the “Follina” vulnerability in the Microsoft Support Diagnostic Tool (MSDT) on Windows.
Malwarebytes researchers this week observed the threat actor – aka Fancy Bear and Sofacy – sending a malicious document with an exploit for the now patched flaw (CVE-2022-30190) via phishing emails to users in Ukraine. The document was titled “Nuclear Terrorism A Very Real Threat.rtf” and appeared designed to exploit fears that the war in Ukraine could escalate into a nuclear holocaust.
Malwarebytes identified the contents of the document as a May 10 Atlantic Council article on the possibility of Russian President Vladimir Putin using nuclear weapons in Ukraine.
Users who opened the document found themselves with a new version of a previously known .Net credential stealer loaded onto their systems via the Follina exploit, which made headlines like day zero more early this month. The malware is designed to steal usernames, passwords and URLs from Chrome and Microsoft Edge browsers. It can also retrieve all cookies stored in Chrome, according to Malwarebytes researchers.
The Ukrainian Computer Emergency Response Team (CERT-UA) warned separately of the same threat. In a notice, it said it spotted APT28 using the same malicious document that Malwarebytes reported to try to distribute CredoMap credential-stealing malware to users in Ukraine.
Available telemetry suggests the adversary has been using the document since at least June 10, CERT-UA says.
“The targeting and involvement of APT28, (a division of Russian military intelligence), suggests that the campaign is part of the conflict in Ukraine, or at the very least related to the foreign policy and military objectives of the Russian state. “, says Malwarebytes in a Tuesday report on the new activity.
Follina’s Feeding Frenzy
The Follina bug in MSDT exists in all current versions of Windows and can be exploited through malicious Microsoft Office documents. To trigger it, all an attacker needs to do is call MSDT from an Office application, such as Word, using the URL protocol. Attackers can exploit the flaw to take remote control of vulnerable systems and perform various malicious actions on them, including executing malicious code, installing programs, modifying data, and creating new accounts.
Microsoft disclosed the flaw in late May amid widespread zero-day exploit activity. The company finally released a patch for the vulnerability in its set of monthly Patch Tuesday security updates for June.
Malwarebytes describes the Ukrainian countryside as the first time it observed APT28 exploiting Follina. But many other groups, including other state-backed actors, have actively exploited the vulnerability in recent weeks.
Many attacks have targeted Ukrainian entities. Earlier this month, for example, CERT-UA warned of a threat actor – likely Russian group Sandworm APT – using a Follina exploit in a “massive cyberattack” targeting media in Ukraine.
And just this week, CERT-UA warned of a threat group it tracks as UAC-0098, which targets critical infrastructure in Ukraine with a tax-themed document carrying an exploit. Follina. According to CERT-UA, attackers in this campaign leverage Follina to drop the post-compromise attack tool Cobalt Strike Beacon on compromised systems.
Other reports of Follina-related activity have also emerged, suggesting that the flaw is of great interest to attackers and needs to be patched quickly. Earlier this month, Proofpoint reported that it had blocked a phishing campaign likely backed by statements involving a Follina exploit that targeted a handful of its customers. The phishing email posed as a pay rise document, which if opened would have resulted in a PowerShell script being downloaded to the system.
Symantec also reported observing a variety of malicious actors leveraging Follina to distribute different malicious payloads, including the AsyncRAT remote access Trojan and other unnamed malware to steal cookies and save login data. browsers such as Chrome, Edge and Firefox.