A newly noticed phishing marketing campaign is leveraging the not too long ago disclosed Follina safety vulnerability to distribute a beforehand undocumented backdoor on Home windows programs.
“Rozena is a backdoor malware that’s able to injecting a distant shell connection again to the attacker’s machine,” Fortinet FortiGuard Labs researcher Cara Lin mentioned in a report this week.
Tracked as CVE-2022-30190, the now-patched Microsoft Home windows Assist Diagnostic Software (MSDT) distant code execution vulnerability has come below heavy exploitation in latest weeks ever because it got here to mild in late Might 2022.
The start line for the newest assault chain noticed by Fortinet is a weaponized Workplace doc that, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.htm“) that, in flip, invokes the diagnostic utility utilizing a PowerShell command to obtain next-stage payloads from the identical CDN attachment house.
This contains the Rozena implant (“Phrase.exe”) and a batch file (“cd.bat”) that is designed to terminate MSDT processes, set up the backdoor’s persistence via Home windows Registry modification, and obtain a innocent Phrase doc as a decoy.
The malware’s core perform is to inject shellcode that launches a reverse shell to the attacker’s host (“microsofto.duckdns[.]org”), finally permitting the attacker to take management of the system required to watch and seize data, whereas additionally sustaining a backdoor to the compromised system.
The exploitation of the Follina flaw to distribute malware via malicious Phrase paperwork comes as social engineering assaults relying on Microsoft Excel, Home windows shortcut (LNK), and ISO picture recordsdata as droppers to deploy malware equivalent to Emotet, QBot, IcedID, and Bumblebee to a sufferer’s machine.
The droppers are mentioned to be distributed via emails that include instantly the dropper or a password-protected ZIP as an attachment, an HTML file that extracts the dropper when opened, or a hyperlink to obtain the dropper within the physique of the e-mail.
Whereas assaults noticed in early April prominently featured Excel recordsdata with XLM macros, Microsoft’s determination to dam macros by default across the identical time is claimed to have pressured the menace actors to pivot to various strategies like HTML smuggling in addition to .LNK and .ISO recordsdata.
Final month, Cyble disclosed particulars of a malware device referred to as Quantum that is being bought on underground boards in order to equip cybercriminal actors with capabilities to construct malicious .LNK and .ISO recordsdata.
It is value noting that macros have been a tried-and-tested assault vector for adversaries trying to drop ransomware and different malware on Home windows programs, whether or not or not it’s via phishing emails or different means.
Microsoft has since briefly paused its plans to disable Workplace macros in recordsdata downloaded from the web, with the corporate telling The Hacker Information that it is taking the time to make “extra adjustments to boost usability.”