Russian hackers exploit Microsoft Follina vulnerability against Ukraine


The Computer Emergency Response Team of Ukraine (CERT-UA) has: warned of a new series of spear-phishing attacks that use the “Follina” flaw in the Windows operating system to deploy password-stealing malware.

Attributing the breaches to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks begin with a bait document titled “Nuclear Terrorism A Very Real Threat.rtf” that , when opened, exploits the recently disclosed vulnerability to download and run malware called CredoMap.

Follina (CVE-2022-30190, CVSS score: 7.8), which relates to a remote code execution case affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, 2022 as part of are Patch Tuesday updates.

According to an independent report published by Malwarebytes, CredoMap is a variant of the .NET-based identification stealer that Google Threat Analysis Group revealed last month as being deployed against users in Ukraine.

The main purpose of the malware is to transfer data, including passwords and stored cookies, from various popular browsers such as Google Chrome, Microsoft Edge and Mozilla Firefox.

“While looting browsers may seem like petty theft, passwords are the key to accessing sensitive information and intelligence,” says Malwarebytes. said† “The target, and the involvement of APT28, a branch of the Russian military intelligence service), suggests that the campaign is part of the conflict in Ukraine, or at least related to the foreign policy and military objectives of the Russian state. “

It’s not just APT28. CERT-UA also has: warned from comparable to attack set up by Sandworm and an actor named UAC-0098 that uses a Follina-based infection chain to deploy CrescentImp and Cobalt Strike Beacons on targeted hosts.

The development comes as Ukraine remains a target for cyber-attacks amid the country’s ongoing war with Russia, which also saw Armageddon hackers spotted. distributing the GammaLoad.PS1_v2 malware in May 2022.