Sandworm hackers attack Ukrainian media through the vulnerability of Follina


The government’s Computer Incident Response Team of Ukraine (CERT-UA) became aware of a phishing campaign in which hackers from Russia send malicious emails to Ukrainian media (radio stations, newspapers, news agencies, etc.). In total, CERT-UA identified over 500 email addresses of recipients.

Emails with the subject “List of links to interactive maps” are sent from hacked mailboxes of government agencies. They contain a document “СПИСОК_посилань_на_інтерактивні_карти.docx “, after opening which an HTML file is loaded onto the recipient’s system and JavaScript code is executed, which in turn downloads and executes the EXE file 2.txt . This file is identified as the Cresentimp malware.

During the attack, attackers exploit the sensational vulnerability CVE-2022-30190 in the diagnostic utility Microsoft Windows Support Diagnostic Tool (MSDT), known as Follina. The vulnerability allows remote code execution and affects all supported versions of Windows. There is no official Microsoft fix for it, however, 0patch is available on the platform
unofficial patch.

According to CERT-UA, the APT-group Sandworm, associated with the government of the Russian Federation, may be behind phishing attacks on the Ukrainian media.