Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

1 month ago

The APT is pairing a known Microsoft flaw with a malicious papers to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

Advanced persistent menace radical Fancy Bear is down a phishing campaign that uses the specter of atomic warfare to exploit a known one-click Microsoft flaw. The extremity is to present malware that tin bargain credentials from the Chrome, Firefox and Edge browsers.

The attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers astatine Malwarebytes Threat Intelligence. They study that Fancy Bear is pushing malicious documents weaponized with the exploit for Follina (CVE-2022-30190), a known Microsoft one-click flaw, according to a blog post published this week.

“This is the archetypal clip we’ve observed APT28 utilizing Follina successful its operations,” researchers wrote successful the post. Fancy Bear is besides known arsenic APT28, Strontium and Sofacy.Infosec Insiders Newsletter

On June 20, Malwarebytes researchers archetypal observed the weaponized document, which downloads and executes a .Net stealer archetypal reported by Google. Google’s Threat Analysis Group (TAG) said Fancy Bear already has utilized this stealer to people users successful the Ukraine.

The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious papers utilized by Fancy Bear successful the caller phishing campaign, according to Malwarebytes.

Bear connected the Loose

CERT-UA previously identified Fancy Bear arsenic 1 of the galore APTs pummeling Ukraine with cyber-attacks successful parallel with the penetration by Russian troops that began successful precocious February. The radical is believed to beryllium operating connected the behest of Russian quality to stitchery info that would beryllium utile to the agency.

In the past Fancy Bear has been linked successful attacks targeting elections in the United States and Europe, arsenic good arsenic hacks against sporting and anti-doping agencies related to the 2020 Olympic Games.

Researchers archetypal flagged Follina successful April, but only successful May was it officially identified arsenic a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious codification from Word oregon different Office documents erstwhile they’re opened.

The bug is unsafe for a fig of reasons–not the slightest of which is its wide onslaught surface, arsenic it fundamentally affects anyone utilizing Microsoft Office connected each presently supported versions of Windows. If successfully exploited, attackers tin summation idiosyncratic rights to efficaciously instrumentality implicit a strategy and instal programs, view, alteration oregon delete data, oregon make caller accounts.

Microsoft precocious patched Follina successful its June Patch Tuesday merchandise but it remains under progressive exploit by menace actors, including known APTs.

Threat of Nuclear Attack

Fancy Bear’s Follina run targets users with emails carrying a malicious RTF record called “Nuclear Terrorism A Very Real Threat” successful an effort to prey connected victims’ fears that the penetration of Ukraine volition escalate into a atomic conflict, researchers said successful the post. The contented of the papers is an article from the planetary affairs radical Atlantic Council that explores the anticipation that Putin volition usage atomic weapons successful the warfare successful Ukraine.

The malicious record uses a distant template embedded successful the Document.xml.rels record to retrieve a distant HTML record from the URL http://kitten-268[.]frge[.]io/article[.]html. The HTML record past uses a JavaScript telephone to window.location.href to load and execute an encoded PowerShell publication utilizing the ms-msdt MSProtocol URI scheme, researchers said.

The PowerShell loads the last payload–a variant of the .Net stealer antecedently identified by Google successful different Fancy Bear campaigns successful the Ukraine. While the oldest variant of the stealer utilized a fake mistake connection pop-up to distract users from what it was doing, the variant utilized successful the nuclear-themed run does not, researchers said.

In different functionality, the precocious seen variant is “almost identical” to the earlier one, “with conscionable a fewer insignificant refactors and immoderate further slumber commands,” they added.

As with the erstwhile variant, the stealer’s main pupose is to bargain data—including website credentials specified arsenic username, password and URL–from respective fashionable browsers, including Google Chrome, Microsoft Edge and Firefox. The malware past uses the IMAP email protocol to exfiltrate information to its command-and-control server successful the aforesaid mode the earlier variant did but this clip to a antithetic domain, researchers said.

“The aged variant of this stealer connected to mail[.] ( to exfiltrate data,” they wrote. “The caller variant uses the aforesaid method but a antithetic domain, www.specialityllc[.]com. Interestingly some are located successful Dubai.”

The owners of the websites astir apt person thing to bash with APT28, with the radical simply taking vantage of abandoned oregon susceptible sites, researchers added.