The Ukrainian CERT has warned that Russia's APT28 and UAC-0098 hacker groups are abusing the Follina vulnerability in new phishing campaigns. One of the groups deployed CredoMap malware and Cobalt Strike beacons.
The APT28 group attacks
APT28 is sending emails laden with a malicious document that tries to exploit the fear among Ukrainians about a potential nuclear attack.
The RTF document (named Nuclear Terrorism A Very Real Threat) used in the recent campaign tries to abuse the CVE-2022-30190 (aka Follina) to download and execute the CredoMap malware on a target's device.
Further, the CredoMap malware is delivered to targeted victims to steal information saved in Firefox, Edge, and Chrome web browsers, such as account credentials and cookies.
The Follina vulnerability in Microsoft Diagnostic Tool is being exploited since April, triggering malicious downloads by opening a document file or viewing RTFs in the Windows preview pane.
Use of Cobalt Strike beacons
Along with the above-mentioned malicious activity, the CERT-UA spotted a different campaign by another threat actor tracked as UAC-0098, abusing Follina to infect the target.
The attacker is using a DOCX file named Imposition of penalties[.]docx and the Cobalt Strike beacon (ked[.]dll) payload is obtained from a remote resource with a recent compilation date of June 16.
The emails pretended to have been sent by the State Tax Service of Ukraine, with the subject ‘Notice of non-payment of tax. Due to the ongoing war’, many citizens are not paying the tax, making them potential targets in this campaign.
Russian hackers have been targeting Ukrainian entities and governments since the start of the war, and the use of the latest exploits indicates that they are continuously making efforts to sharpen their attacks further. More attacks are expected from Russian state-sponsored hacker groups. Thus, CERT-UA advises staying alert against email-delivered threats, due to increasingly sophisticated phishing attacks.