A new phishing attack has exploited a critical Microsoft Windows zero-day vulnerability known as Follina by using malicious Rich Text Format (RTF) documents. It was exploited against European nations and US local government.
Hacking has grown increasingly widespread in Eastern Europe because of the geopolitical crisis. According to BleepingComputer at least two US states have been targeted by this phishing attack.
The attackers convinced employees to open the lure documents, which would then execute a PowerShell script as the ultimate payload. This is used to detect whether the system is a virtual machine, steal data from a variety web browser, mail clients, and file services, and collect system data that is then sent to an attacker server.
Vulnerability in Windows Using PowerShell script
BleepingComputer discovered while inspecting the final PowerShell payload of this attack. Because the obtained data can be used for initial access, threat actors are capturing significant volumes of information disclosing the nature of this campaign’s reconnaissance attack.
- It can gather passwords from a variety of browsers, including Mozilla Firefox, Google Chrome, Opera, Microsoft Edge, and others.
- It can obtain a list of users, machine information, and Windows domain information in Windows.
- It can harvest information from a variety of websites, including WeChat, Microsoft Office, Mozilla Thunderbird passwords, and many others.
In setting of the user’s permissions, the attacker can install apps, read, edit, or remove data, and create new accounts. The authorization of the user is needed for all of these actions.
According to researchers:
A state-affiliated actor is behind this zero-day attack. We haven’t yet assigned it to a numbered TA because of the extensive recon of the PowerShell and the exact targeting.
CVE-2022-30190 was assigned to the security hole used in these attacks. Redmond defined it as a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).
A Zero-day vulnerability can be used to run malicious script with the caller app’s capabilities to install applications, read, alter, or remove data, if properly exploited.
MalwareHunterTeam, a group of computer security experts, discovered harmful documents with Chinese filenames that were used to spread password-stealing trojans. Sextortion threats used as baits in the initial attacks targeting this zero-day, which began more than a month ago.
Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.