Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

Advanced persistent risk team Fancy Bear is guiding a phishing marketing campaign that employs the specter of nuclear war to exploit a identified one-click Microsoft flaw. The objective is to supply malware that can steal credentials from the Chrome, Firefox and Edge browsers.

The attacks by the Russia-connected APT are tied the Russian and Ukraine war, in accordance to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious files weaponized with the exploit for Follina (CVE-2022-30190), a recognised Microsoft 1-click flaw, in accordance to a blog site post printed this week.

“This is the 1st time we have noticed APT28 working with Follina in its functions,” scientists wrote in the put up. Fancy Bear is also regarded as APT28, Strontium and Sofacy.

On June 20, Malwarebytes scientists first noticed the weaponized document, which downloads and executes a .Net stealer initially documented by Google. Google’s Danger Analysis Team (TAG) reported Fancy Bear now has utilized this stealer to target end users in the Ukraine.

The Computer Unexpected emergency Response Staff of Ukraine (CERT-UA) also independently uncovered the destructive document utilized by Fancy Bear in the latest phishing marketing campaign, in accordance to Malwarebytes.

Bear on the Unfastened

CERT-UA formerly recognized Fancy Bear as one of the several APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that started in late February. The team is believed to be operating on the behest of Russian intelligence to assemble info that would be valuable to the agency.

In the past Fancy Bear has been linked in attacks focusing on elections in the United States and Europe, as well as hacks versus sporting and anti-doping organizations related to the 2020 Olympic Video games.

Scientists first flagged Follina in April, but only in Might was it officially determined as a zero-working day, just one-simply click exploit. Follina is linked with the Microsoft Help Diagnostic Device (MSDT) and makes use of the ms-msdt protocol to load malicious code from Phrase or other Office files when they’re opened.

The bug is harmful for a amount of reasons–not the the very least of which is its large attack area, as it essentially affects everyone using Microsoft Business on all at the moment supported versions of Windows. If effectively exploited, attackers can obtain person rights to proficiently get in excess of a method and install packages, see, transform or delete information, or make new accounts.

Microsoft recently patched Follina in its June Patch Tuesday release but it remains below lively exploit by risk actors, which includes identified APTs.

Menace of Nuclear Attack

Fancy Bear’s Follina marketing campaign targets buyers with e-mail carrying a destructive RTF file called “Nuclear Terrorism A Really True Threat” in an endeavor to prey on victims’ fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the submit. The articles of the doc is an write-up from the worldwide affairs group Atlantic Council that explores the chance that Putin will use nuclear weapons in the war in Ukraine.

The malicious file works by using a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268[.]frge[.]io/write-up[.]html. The HTML file then utilizes a JavaScript call to window.locale.href to load and execute an encoded PowerShell script employing the ms-msdt MSProtocol URI scheme, researchers reported.

The PowerShell hundreds the remaining payload–a variant of the .Net stealer earlier discovered by Google in other Fancy Bear campaigns in the Ukraine. Whilst the oldest variant of the stealer made use of a bogus error information pop-up to distract end users from what it was doing, the variant used in the nuclear-themed marketing campaign does not, researchers mentioned.

In other operation, the a short while ago observed variant is “almost identical” to the previously a single, “with just a couple insignificant refactors and some further snooze instructions,” they extra.

As with the past variant, the stealer’s major pupose is to steal data—including internet site qualifications such as username, password and URL–from various popular browsers, which includes Google Chrome, Microsoft Edge and Firefox. The malware then utilizes the IMAP email protocol to exfiltrate knowledge to its command-and-control server in the same way the previously variant did but this time to a different domain, scientists said.

“The outdated variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data,” they wrote. “The new variant takes advantage of the similar system but a different area, www.specialityllc[.]com. Apparently each are positioned in Dubai.”

The owners of the internet sites most probable have absolutely nothing to do with APT28, with the group just using advantage of abandoned or vulnerable web sites, researchers added.