Russia’s APT28 Launches Nuke-Themed Follina Exploit Campaign

Russia’s notorious advanced persistent threat group APT28 is the latest in a growing number of attackers trying to exploit the “Follina” vulnerability in the Microsoft Support Diagnostic Tool (MSDT) in Windows.

Malwarebytes researchers observed this week that the threatening actor – also known as Fancy Bear and Sofacy – sent out a malicious document exploiting the now-patched bug (CVE-2022-30190) via phishing emails to users in Ukraine . The document was titled “Nuclear Terrorism A Very Real Threat.rtf” and appeared to be designed to confuse fears that the war in Ukraine was spiraling into a nuclear holocaust.

Malwarebytes identified the contents of the document as an article by the Atlantic Council on May 10 on the potential of Russian President Vladimir Putin to use nuclear weapons in Ukraine.

Users who opened the document ended up getting a new version of a previously known .Net credentials loader loaded on their systems via the Follina exploit, which pulled headlines like a zero-day earlier in the month. The malware is designed to steal usernames, passwords and URLs from Chrome and Microsoft Edge browsers. It can also capture all cookies stored in Chrome, Malwarebytes researchers say.

Ukraine’s Computer Emergency Response Team (CERT-UA) warned separately about the same threat. In a statement, it said it had seen APT28 using the same malicious document that Malwarebytes reported in an attempt to distribute CredoMap credentials to users in Ukraine.

Available telemetry indicates that the opponent has been using the document since at least June 10, CERT-UA says.

“The goal and involvement of APT28, (a division of Russian military intelligence), suggests that the campaign is part of the conflict in Ukraine or at least linked to the Russian state’s foreign policy and military objectives.” Malwarebytes announced in a report on Tuesday about the new activity.

The Follina feeding frenzy

The Follina bug in MSDT is present in all current versions of Windows and can be exploited through malicious Microsoft Office documents. To trigger it, all an attacker has to do is call MSDT from an Office app, such as Word, using the URL protocol. Attackers can exploit the bug to gain remote control of vulnerable systems and perform a series of malicious actions on them, including executing malicious code, installing programs, modifying data, and creating new accounts.

Microsoft revealed the bug in late May amid widespread zero-day exploitation activity. The company finally issued a vulnerability fix in their Patch Tuesday set of monthly security updates for June.

Malwarebytes describes the Ukrainian campaign as the first time it saw APT28 exploit Follina. But numerous other groups, including other state-sponsored actors, have been actively exploiting the vulnerability in recent weeks.

Many of the attacks are aimed at Ukrainian units. Earlier this month, for example, CERT-UA warned of a threatening actor – probably Russia’s Sandworm APT group – using a Follina exploit in a “massive cyber attack” targeting media organizations in Ukraine.

And just this week, CERT-UA warned of a threat group that it tracks as UAC-0098, which targets critical infrastructure facilities in Ukraine with a tax-themed document bearing a Follina exploitation. According to CERT-UA, the attackers in this campaign are using Follina to drop the Cobalt Strike Beacon post-compromise attack tool on compromised systems.

Other reports of Follina-related activity have also surfaced, suggesting that the bug is of great interest to attackers and needs to be resolved quickly. Earlier this month, Proofpoint reported that it had blocked a likely specified supported phishing campaign involves a Follina farm that targeted a handful of its customers. The phishing email presented itself as a document about a pay rise, which, if opened, would have resulted in a PowerShell script being downloaded to the system.

Symantec has also reportedly observed a number of threatening actors exploiting Follina to distribute various malicious payloads, including the AsyncRAT remote access Trojan and other unnamed malware to steal cookies and store login data from browsers such as Chrome, Edge and Firefox.


Leave a Reply

Your email address will not be published.