A suspected state-aligned threat actor has been linked to a new wave of attacks targeting government entities in Europe and the United States using the Microsoft Office “Follina” vulnerability.
Proofpoint, an enterprise security firm, said it blocked attempts to exploit the CVE-2022-30190 remote code execution flaw (CVSS score: 7.8). The targets received over 1,000 phishing messages containing a lure document. “This campaign pretended to be a salary increase and used an RTF with the exploit payload downloaded from 45.76.53[.]253,” the company explained in a series of tweets.
The payload, which takes the form of a PowerShell script, is Base64-encoded and serves as a downloader for a second PowerShell script from a remote server known as “seller-notification[.]live.”
“This script checks for virtualization, steals information from local browsers, mail clients, and file services, performs machine recon, and then zips it for exfil[tration] to 45.77.156[.]179,” according to the company.
The phishing campaign has not been linked to a previously known group, but the specificity of the targeting and the PowerShell payload’s wide-ranging reconnaissance capabilities suggest it was carried out by a nation-state actor.
The development comes in the wake of active exploitation attempts by a Chinese threat actor known as TA413 to deliver weaponized ZIP archives containing malware-infected Microsoft Word documents.
The Follina vulnerability, which uses the “ms-msdt:” protocol URI scheme to remotely control target devices, is still unpatched, and Microsoft advises customers to disable the protocol to avoid the attack vector. “Proofpoint continues to see targeted attacks leveraging CVE-2022-30190,” Sherrod DeGrippo, vice president of threat research, told The Hacker News in a statement.
“The second PowerShell script’s extensive reconnaissance demonstrates an actor interested in a wide range of software on a target’s computer. This, combined with the campaign’s tight targeting of European governments and local US governments, led us to suspect a state-aligned nexus.”