Hackers Abuse Follina Bug To Use Rozena Backdoor


A newly observed phishing campaign takes advantage of the recently revealed Follina security vulnerability to spread a previously undocumented backdoor on Windows systems.

“Rozena is a backdoor malware capable of injecting a remote shell connection back to the attacker’s computer,” said researcher Cara Lin of Fortinet FortiGuard Labs. said in a report this week.

Tracked as CVE-2022-30190, the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has been heavily exploited in recent weeks since it was exposed in late May 2022.

The starting point for the latest attack chain observed by Fortinet is an armed Office document which, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.htm“) which in turn calls the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space.

This includes the Rozena implant (“Word.exe”) and a batch file (“cd.bat”) designed to terminate MSDT processes, fix backdoor persistence through Windows registry modification and download a harmless Word document as bait.

The core function of the malware is to inject shell code that sends a reverse shell to the attacker’s host (“microsofto.duckdns[.]org”), ultimately allowing the attacker to take control of the system needed to monitor and record information, while also maintaining a backdoor to the compromised system.

Exploitation of the Follina flaw to distribute malware via malicious Word documents comes as social engineering attacks to trust on Microsoft Excel, Windows Shortcut (LNK), and ISO image files as droppers to deploy malware such as Emotet, QBot, IcedID, and Bumblebee on a victim’s device.

The droppers would be distributed via emails containing the dropper directly or a password protected ZIP as an attachment, an HTML file that the dropper extracts when opened, or a link to download the dropper in the body of the dropper. e-mail.

While attacks spotted in early April prominently featured Excel files containing XLM macros, Microsoft’s decision to block macros by default around the same time would have forced threat actors to switch to alternative methods such as HTML smuggling and .LNK smuggling. and .ISO files.

Last month, Cyble disclosed details of a malware tool called Quantum being sold on underground forums to equip cybercriminals with capabilities to build malicious .LNK and .ISO files.

It is worth noting that macros are a proven attack vector for adversaries looking to drop ransomware and other malware onto Windows systems, whether through phishing emails or other means.

Microsoft has since temporarily paused its plans to disable Office macros in files downloaded from the Internet, with the company telling The Hacker News it is taking the time to “make additional changes to improve usability.”