A suspected state-aligned threat actor has been linked to a fresh set of attacks exploiting the Microsoft Office “Follina” vulnerability to target government entities across the U.S. and Europe.
Proofpoint, an enterprise security firm, said that it blocked attempts at exploiting the remote code execution flaw. The flaw is being tracked CVE-2022-30190 (CVSS Score: 7.8). More than 1,000 phishing messages containing a lure document were sent to the various targets.
Proofpoint said in a series of tweets that “this campaign masqueraded as a salary increase and utilised an RTF with the exploit payload downloaded from 45.76.53[.]253.”
Manifesting itself in the form of a PowerShell script, the payload is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named “seller-notification[.]live.”
The company added that, “this script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil[tration] to 45.77.156[.]179.”
Whilst the phishing campaign has not been linked to a previously know group, it was mounted by a nation-state actor based on the PowerShell payload’s wide-ranging reconnaissance capabilities and specificity of the targeting.
This follows active exploitation attempts by a Chinese threat actor tracked as TA413. TA413 aimed to deliver weaponised ZIP archives with malware-rigged Microsoft Word documents.
The Follina vulnerability remains unpatched. The vulnerability leverages the “ms-msdt:” protocol URI scheme to remotely take control of devices. Microsoft is suggesting that customers should disable the protocol to prevent the attack vector.
In a statement shared with The Hacker News, Sherrod DeGrippo, Vice President of Threat Research, said, “Proofpoint continues to see targeted attacks leveraging CVE-2022-30190.”