Advanced persistent threat group Fancy Bear is behind a phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.
The attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for Follina (CVE-2022-30190), a known Microsoft one-click flaw, according to a blog post published this week.
âThis is the first time weâve observed APT28 using Follina in its operations,â researchers wrote in the post. Fancy Bear is also known as APT28, Strontium and Sofacy.
On June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first reported by Google. Googleâs Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.
The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.
Bear on the Loose
CERT-UA previously identified Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.
In the past Fancy Bear has been linked in attacks targeting elections in the United States and Europe, as well as hacks against sporting and anti-doping agencies related to the 2020 Olympic Games.
Researchers first flagged Follina in April, but only in May was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when theyâre opened.
The bug is dangerous for a number of reasonsânot the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.
Microsoft recently patched Follina in its June Patch Tuesday release but it remains under active exploit by threat actors, including known APTs.
Threat of Nuclear Attack
Fancy Bearâs Follina campaign targets users with emails carrying a malicious RTF file called âNuclear Terrorism A Very Real Threatâ in an attempt to prey on victimsâ fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an article from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.
The malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268[.]frge[.]io/article[.]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.
The PowerShell loads the final payloadâa variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.
In other functionality, the recently seen variant is âalmost identicalâ to the earlier one, âwith just a few minor refactors and some additional sleep commands,â they added.
As with the previous variant, the stealerâs main pupose is to steal dataâincluding website credentials such as username, password and URLâfrom several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.
âThe old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data,â they wrote. âThe new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.â
The owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.