Ukraine’s CERT warns of a phishing campaign delivering CrescentImp malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has shared details of a new malicious campaign targeting media organizations in Ukraine that is exploiting the recently disclosed Follina vulnerability (CVE-2022-30190) in order to infect victims’ machines with the CrescentImp malware.


CVE-2022-30190 is a security issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system.


The campaign aimed at Ukrainian radio stations, news papers, news agencies, etc., involves malicious emails that contain an attached document with the subject “СПИСОК посилань на інтерактивні карти” (“A list of links to the interactive maps”). The CERT-UA team said it has identified over 500 email addresses targeted in this campaign.


Once a victim opens the document, an HTML file is downloaded onto the machine and a JavaScript code is executed. The code downloads and executes an EXE file named “2.txt,” which is the CrescentImp malware. This malware is fairly new, so at this point it’s hard to say what capabilities it has, but as with most trojans, CrescentImp likely can steal sensitive information from the infected computer and provide its operators with a backdoor, which can be used to download additional malware onto the machine.


CERT-UA, which tracks this malicious campaign as UAC-0113, attributes the activity with moderate confidence to the Russia-linked Sandworm advanced persistent threat group.


Earlier this month, the team said it detected a malicious campaign that exploited two Windows zero-day vulnerabilities, including CVE-2022-30190, to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.


Cybersecurity Help statement on the critical situation in Ukraine


On February 24, people ..

Support the originator by clicking the read the rest link below.