Local US and European governments were the targets of a phishing campaign using a payload designed to exploit CVE-2022-30190, also known as Follina. The phishing campaign contained malicious Rich Text Format (RTF) documents that would trigger the exploit when the user opened them.
These malicious documents, which used salary increase promises to bait employees into opening them, were crafted to exploit Follina and deploy a PowerShell script. This PowerShell script was written to first check if the system is a virtual machine and then steal information from the infected system. The information gathered included: saved passwords from multiple web browsers, data from other applications including email clients and chat services, and computer/domain information about the system itself. Once this information is gathered, the script uploads the data to a remote, attacker-controlled system using a Background Intelligent Transfer Service (BITS) job.
Due to the extensive recon of the PowerShell payload and the concentration of government targeting, this campaign is believed to originate from a state aligned actor. However, the specific state aligned actor performing the campaign is currently unknown.