The Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons.
The APT28 hacking group is believed to be sending emails containing a malicious document name "Nuclear Terrorism A Very Real Threat.rtf.". The threat actors selected the topic of this email to entice recipients to open it, exploiting the fear that's spread among Ukrainians about a potential nuclear attack.
Threat actors also used a similar tactic in May 2022, when CERT-UA identified the dissemination of malicious documents warning about a chemical attack.
The RTF document used in the APT28 campaign attempts to exploit CVE-2022-30190, aka "Follina," to download and launch the CredoMap malware (docx.exe) on a target's device.
CredoMap infection process (CERT-UA)
This vulnerability is a flaw in the Microsoft Diagnostic Tool, exploited in the wild since at least April 2022, triggering malicious downloads by simply opening a document file, or in the case of RTFs, merely viewing it in the Windows preview pane.
CredoMap is an unknown malware strain detected by several AV engines on Virus Total, with numerous vendors classifying it as a password-stealing Trojan.
Virus Total scan results for CredoMap
In an associated report published by Malwarebytes today, the security analysts clarify tha ..
Support the originator by clicking the read the rest link below.
