A suspected state-aligned threat actor has been blamed for a new series of attacks that exploit the Microsoft Office “Follina” vulnerability to attack government agencies in Europe and the US
Enterprise security firm Proofpoint said it was blocking attempts to exploit the remote code execution flaw, which is tracked as CVE-2022-30190 (CVSS score: 7.8). As many as 1,000 phishing messages containing a decoy document were sent to the targets.
This campaign masqueraded as a pay raise and used an RTF with the exploit payload downloaded from 45.76.53[.]253″, the company said in a series of tweets.
The payload, which manifests itself in the form of a PowerShell script, is Base64 encoded and functions as a downloader to retrieve a second PowerShell script from a remote server called “seller-notification[.]live.”
“This script checks for virtualization, steals information from local browsers, email clients and file services, performs machine recon and then zips it for exfil[tration] up to 45.77.156[.]179,” the company added.
The phishing campaign has not been linked to any previously known group, but said it was set up by a national actor based on the specificity of the targeting and the extensive exploration capabilities of the PowerShell payload.
The development follows active exploit attempts by a Chinese threat actor tracked as TA413 to deliver weaponized ZIP archives containing malware-manipulated Microsoft Word documents.
The Follina vulnerability, which uses the “ms-msdt:” protocol URI scheme to remotely take control of target devices, remains unpatched, and Microsoft is urging customers to disable the protocol to prevent the attack vector. to prevent.
In the absence of a security update, 0patch has a unofficial solution to block ongoing attacks on Windows systems that target the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability.
“It doesn’t matter which version of Office you have installed, or if you have Office installed at all, the vulnerability can also be exploited via other attack vectors‘ said Mitja Kolsek of 0patch.
“Proofpoint continues to see targeted attacks leveraging CVE-2022-30190,” Sherrod DeGrippo, vice president of threat research, said in a statement shared with The Hacker News.
“The extensive exploration performed by the second PowerShell script shows that an actor is interested in a wide variety of software on a target’s computer. This, combined with the strict targeting of European government and local US governments, made us suspect that this campaign has a state of alignment.”