Ukrainian Computer Emergency Response Team (CERT) has warned that Russian hacker gangs are using the Follina code execution vulnerability in recent phishing attempts to install the CredoMap malware and Cobalt Strike beacons. The APT28 hacking organization is suspected of sending emails with the attachment “Nuclear Terrorism A Very Real Threat.rtf.” The threat actors chose the subject of this email to attract users to open it, capitalizing on the widespread fear of a nuclear strike among Ukrainians.
In May 2022, when CERT-UA discovered the spread of fraudulent papers warning about a chemical attack, threat actors employed a similar strategy. The APT28 campaign’s RTF document tries to engage CVE-2022-30190, sometimes known as “Follina,” to download and run the CredoMap malware (docx.exe) on a target’s machine. This issue in the Microsoft Diagnostic Tool has been abused in the wild since at least April 2022, allowing malicious downloads to be triggered simply by opening a document file, or in the case of RTFs, by seeing it in the Windows preview window.
CredoMap is an unknown malware strain many AV engines have spotted on Virus Total, and several vendors have classified it as a password-stealing Trojan. Malwarebytes clarifies in an associated report that the payload is an info-stealer deployed by APT28 against Ukrainian targets in May. The malware seeks to steal information such as account passwords and cookies from Chrome, Edge, and Firefox web browsers. Finally, the malware uses the IMAP email protocol to exfiltrate the stolen data, transferring everything to the C2 address, which is housed on an abandoned Dubai-based website.
The software employs hard-coded IMAP credentials, as per cybersecurity researcher MalwareHunterteam, who uncovered the campaign. This might allow any researcher to access the stolen data. Last week, CERT-UA warned about Russian hackers from the Sandworm group exploiting CVE-2022-30190. However, the threat actors behind the attacks have been recognized as the APT28 gang this time.
APT28 (also known as STRONTIUM, Fancy Bear, and Sofacy) is a Russian hacker gang that specializes in cyber espionage and is linked to the Russian government. Since 2007, this gang has been targeting governments, military, and security institutions. In addition to the activities mentioned earlier, the CERT-UA has uncovered a separate campaign by a threat actor known as UAC-0098, which uses CVE-2022-30190 to infect the victim with minimum interaction.
According to CERT-UA, the threat actor employs a DOCX file entitled “Imposition of penalties.docx” in this scenario. The payload is a Cobalt Strike beacon (ked.dll) with a recent compilation date acquired from a remote site. The emails purport to be from Ukraine’s State Tax Service, with the subject line “Notice of Non-Payment of Tax.”
The enticement may be successful against many people in this circumstance since Ukraine is at war with Russia, and many residents have naturally forgotten their usual tax-paying commitments to the state. CERT-UA proposes employees at key businesses remain cautious against email-delivered threats as the frequency of spear-phishing assaults continues to rise.