The Computer Emergency Response Group of Ukraine (CERT-UA) said that Russian hackers are using the vulnerability of Follina in new phishing campaigns to install CredoMap malware and Cobalt Strike beacons.
According to experts, the hacker group APT28 (Strontium, Fancy Bear and Sofacy) sends emails with a malicious document called “Nuclear terrorism is a real threat.rtf”. Hackers chose this topic to encourage the recipient to open the document, as fear of a potential nuclear attack is widespread among Ukrainians. RTF document exploits vulnerability CVE-2022-30190 (Follina) to download and run CredoMap malware (docx.exe ) on the victim’s device.
According to the Malwarebytes report, the payload is an infostiler that steals credentials and cookies from Chrome, Edge and Firefox browsers. Then the software extracts the stolen data using the IMAP email protocol and sends everything to the C2 address, which is located on an abandoned site in Dubai.
CERT-UA also identified another attacker campaign called UAC-0098 using CVE-2022-30190. CERT-UA reported that the threat subject used a DOCX file named “Overlay штрафов.docx “, and the payload received from a remote resource is a Cobalt Strike beacon (ked.dll ) with the last compilation date.
The sent emails allegedly come from the State Tax Service of Ukraine with the subject “Notification of non-payment of tax”. Due to Russia’s ongoing special operation in Ukraine, many Ukrainian citizens have stopped paying taxes to the state, so the bait can be effective against many Ukrainians.
CERT-UA advised employees of organizations to remain vigilant against phishing emails, as the number of targeted phishing attacks remains high.