Follina flaw being exploited by Russian hackers, info stealers

Reports of Ukrainian media organisations receiving emails with compromised Word docs, and AsyncRAT Trojan delivered by groups exploiting the unpatched flaw

The Ukrainian Computer Emergency Response Team (CERT-UA) has warned of threat actors exploiting the Follina vulnerability in Microsoft Office to attack media organisations in the country.

On its website CERT-UA says (translated) it "received information from a participant in the information exchange on mass mailing of emails, in particular, among media organisations of Ukraine (radio stations, newspapers, news agencies, etc.) with the topic #LIST of links to interactive maps'. More than 500 recipients' email addresses have been set."

Opening the attached file 'LIST_of_links_interactive_maps.docx' will ultimately cause an executable called '2.txt' to be downloaded onto the victim's machine. CERT-AU has identified this as 'CrescentImp', a new strain of Trojan malware whose workings are currently being investigated by researchers.

On its website, CERT-UA provides a list of indicators of compromise for this attack.

The Ukrainian cybersecurity organisation says it has "average confidence" that the activity, UAC-0113, is being carried out by Russian hacking group Sandworm (also known as Voodoo Bear, BlackEnergy, and TeleBots), which is thought to be run by Unit 74455 of the Russian Main Intelligence Directorate (GRU) and has been blamed for numerous cyberattacks on the country, often using novel malware strains.

In April, Sandworm tried to take out Ukrainian electricity substations using a novel malware variant called Industroyer and a new version of the CaddyWiper data destruction malware. The group has also used malware called Cycops Blink to attack mainly Watchguard firewalls; and earlier this year, the US government announced that it had successfully deactivated a massive botnet of hardware devices controlled by Sandworm.

Follina (CVE-2022-30190) is a flaw that allows attackers to execute arbitrary code via the Microsoft Support Diagnostic Tool (MSDT). All it takes to exploit the vulnerability is for a victim to open an infected Word document. The vulnerability can be exploited even if macros are disabled.

Reports of threat actors using the Follina flaw include a group delivering the QBot banking malware and suspected Chinese threat group TA413 CN APT sending compromised Word documents as a Zip archive to Tibetan activists.

More recently, security vendor Symantec observed attackers deploying the remote access Trojan AsyncRAT, which is able to disable protections and carry out reconnaissance on the infected system, send information to a command-and-control C2, and carry out attacks on instruction by the C2 server, including deploying InfoStealer malware as a secondary activity.

Microsoft has provided instructions on how to mitigate the Follina flaw, but has yet to issue a patch.