Last month we told you about Follina, a zero-day vulnerability that affects Microsoft Office and that allows arbitrary code to run using the Microsoft Support Diagnostic Tool (MSDT). The flaw, classified as CVE-2022-30190, affects all Windows clients and server platforms that continue to receive security updates (Windows 7 and later, Windows Server 2008 and later). Recently, the Ukrainian Computer Emergency Response Team (CERT) warned that Russian hacker groups are using Follina for new phishing campaigns aimed at installing the CredoMap malware and the Colbalt Strike beacon. In particular, for the CredoMap campaign , an RTF document was used to download and install the malware, while for the Cobalt Strike campaign, a .docx file, called "Imposition of penalties.docx", was used to retrieve the payload from a remote resource (ked.dll). Photo Credit: Bleeping Computer In case you are not aware of it, CredoMap is a trojan that aims to steal information stored in the Chrome, Edge and Firefox web browsers, such as account credentials and cookies. After finding the data, using the IMAP email protocol, it sends everything to an address hosted on an abandoned site in Dubai.
The group responsible for the CredoMap attack is APT28 (also known as STRONTIUM, Fancy Bear and Sofacy), which is believed to have links to the Russian government and which is mainly engaged in cyber espionage operations. Instead, the one related to Cobalt Strike was conducted by UAC-0098 and also in this case exploited the sending of a document concerning the non-payment of taxes to lure many potential victims, especially considering the current situation in Ukraine.