Fancy Bear is a known Russia-backed group that has been active during Russia’s invasion of Ukraine. Malwarebytes Threat Intelligence reports the group is sending documents in a phishing campaign that are loaded with an exploit for Follina. This is a known Microsoft one-click vulnerability (tracking as CVE-2022-30190). “This is the first time we’ve observed APT28 using Follina in its operations,” researchers say in the post. Microsoft has had a long-running battle with Fancy Bear. In 2017, the company won a court order to remove domains from the threat group. However, Fancy Bear re-emerged and continues to be a threat to governments, organizations, and individuals. Malwarebytes has seen the weaponized document Fancy Bear is using. If the user interacts with it, the document installs and executes a .Net stealer to gain credentials and steal data. Google’s Threat Analysis Group (TAG) is also following the attack and says it has been successfully used on targets in Ukraine.
Follina Attack
The Follina vulnerability was first spotted in April and given zero-day, one-click exploit status in May. It stems from the Microsoft Support Diagnostic Tool (MSDT). It targets ms-msdt protocols to install malicious code from Office documents. Because Office is the attack method, the bug is dangerous due to the width of the attack surface. Anyone who uses Microsoft Office on any supported version of Windows is potentially at risk. Using Follina, Fancy Bear sends targets emails with a subject of “Nuclear Terrorism A Very Real Threat”. With fears heightened amid the current invasion of Ukraine, victims may click the link, which is a one-click install of a malicious RTF file. Tip of the day: Did you know that you can assign keyboard shortcuts for starting applications quickly in Windows 11 and Windows 10? This is a great way to have your most used programs always at your fingertips. In our tutorials we show you how to set those hotkeys for your favorite apps.
