APT group Fancy Bear, a Russian nation-state threat actor that has been involved in some prolific breaches, has been seen using nuclear war lures in their latest phishing campaigns. The goal of these phishing emails is to compromise a system of the targeted individual and steal credentials from web browsers such as Google Chrome or Mozilla Firefox.
The phishing emails contain an RTF attached document that are modeled after the possibility of nuclear war in the Russian invasion of Ukraine. Upon opening, the Follina vulnerability (CVE-2022-30190) is executed to force the system to download a DLL and EXE file via PowerShell. The EXE file, which is placed in the user’s home directory, is then executed. This executable file grabs all saved user information, such as usernames and passwords, from Google Chrome, Mozilla Firefox, and Microsoft Edge before packaging it for exfiltration. Exfiltration is performed by making an IMAP email protocol connection to a command-and-control server.
Due to the targets of these phishing emails and the involvement of this Russia-based threat actor, it is believed that this campaign is likely a part of the conflict in Ukraine.
It is highly recommended to install the patch for Follina on all systems as soon as possible. Beyond this specific phishing campaign, Follina exploitation is being used by numerous threat actors, due to its easy infection and powerful capabilities. By patching devices so they are no longer exploitable, organizations can help protect their environment from a number of different campaigns. Since the malware used in this phishing campaign exfiltrates data via IMAP, it is also recommended to block outgoing IMAP connections from devices and servers where it is not needed. Finally, it is recommended to maintain appropriate security logging and monitoring across all devices. The infection chain used in this phishing campaign exhibits behavior that would be abnormal in everyday usage. Microsoft Word spawning an msdt.exe process, cmd.exe executing a PowerShell command, PowerShell making outbound network connections, and an unknown executable making outbound IMAP connections are all behaviors that could be considered suspicious and can be alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.