A phishing campaign is targeting European governments and U.S. local governments. The campaign used malicious RTF documents to exploit the Follina zero-day vulnerability.
Exploiting Follina
Proofpoint has blocked the phishing campaign targeting less than ten of its customers attempting to exploit Follina.
- At least two U.S. states were targeted in the recent phishing campaign.
- The attackers have used salary increase promises to lure employees to open malicious documents.
- Once the document is opened, a Powershell script is deployed as the final payload.
A reconnaissance attack?
The attackers are harvesting large amounts of information from the infected machines. Since the collected data can be used for initial access, it is suspected that the aim of this campaign is reconnaissance.
- The attack gathers passwords from a large number of browsers including Chrome, Firefox, Edge, Opera, Yandex, Vivaldi, and CentBrowser.
- Additional targeted apps include Thunderbird, Netsarang session files, Windows Live Mail contacts, WeChat, Putty, Navicat, RAdmin, WinSCP, and Microsoft Office.
Conclusion
The recent exploitation of Follina shows how desperate cybercriminals are to take advantage of a zero-day flaw whose patch is awaited. However, the CISA suggests disabling the MSDT protocol and using unofficial patches released by 0patch.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000075991703_Medium.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/85dd_shutterstock_1922380886.jpg)
