For war-torn Ukraine, things continue to remain difficult and the conditions a challenging one. A new malware danger has knocked on their door as their battle against Russia is well past the 100th day.

Ukraine’s CERT issues malware warning

  • The CERT-UA has shared information about a new malicious campaign with Ukrainian media organizations as its prime target.
  • The hackers’ objective is to exploit the recently disclosed Follina vulnerability (CVE-2022-30190) to infect victims' machines with the CrescentImp malware.

How can CrescentImp harm you?

  • CrescentImp malware is capable of stealing sensitive information from an infected computer and providing its operators with a backdoor through which additional malware can be downloaded.
  • With moderate confidence, CERT-UA, which tracks this malicious campaign as UAC-0113, attributes the activity to the Russia-linked Sandworm advanced persistent threat group.

Who are the targets?

  • The attack campaign is aimed at Ukrainian radio stations, newspapers, news agencies, etc., and involves malicious emails that contain an attached document.
  • The CERT-UA team said it has identified over 500 email addresses targeted in this campaign.

How does the infection work?

The CVE-2022-30190 affects the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system.
  • When a victim opens the document, an HTML file is downloaded to the victim's machine, and JavaScript code is executed.
  • The code downloads and runs the CrescentImp malware EXE file named "2.txt."
  • This malware is still in its early stages, so it's difficult to say what capabilities it possesses.

Have similar attacks occurred in the past?

Earlier this month, the team reported discovering a malicious campaign that used two Windows zero-day vulnerabilities, including CVE-2022-30190, to infect Ukrainian government agencies' networks with the Cobalt Strike Beacon malware.


After more than three months of the war, normal life in Ukraine has taken a serious beating, and malware attacks like CrescentImp will only add to the country's struggle to stay afloat in the face of Russia's relentless aggression.
Cyware Publisher