Skip to content
Advanced Persistent Threat (APT) group Fancy Bear is behind a phishing campaign that uses the fear of nuclear war to exploit a known 1-click Microsoft issue. The aim is to deliver malware that can steal credentials from the Chrome, Firefox & Edge browsers.
The APT is pairing a known Microsoft flaw with a malicious document to load malware that steals credentials from Chrome, Firefox & Edge browsers.
Russian & Ukraine War
The attacks by the Russia-linked APT are tied to the Russian & Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is using malicious documents weaponised with the exploit for Follina (CVE-2022-30190), a known Microsoft 1-click defect, according to a blog post published this week.
“This is the 1st time we’ve observed APT28 using Follina in its operations,” researchers wrote. Fancy Bear is also known as APT28, Strontium & Sofacy.
Downloads & Executes
On June 20, Malwarebytes researchers 1st noticed the weaponised document, which downloads & executes a .Net stealer 1st reported by Google. Google’s Threat Analysis Group (TAG) stated Fancy Bear already has used this stealer to target users in the Ukraine.
The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious document used by Fancy Bear in the recent phishing campaign, explained Malwarebytes.
Bear is on the Loose!
CERT-UA previously identified Fancy Bear as 1 of the numerous APTs attacking Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late Feb. The group is thought to be operating at the instigation of Russian intelligence to gather information that would be useful to the agency.
In the past Fancy Bear has been linked in attacks targeting elections in the United States & Europe, as well as hacks against sporting & anti-doping agencies related to the 2020 (2021) Toyko Olympic Games.
Follina
Researchers first flagged Follina in April, but only in May was it officially identified as a zero-day, 1-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) & uses the ms-msdt protocol to load malicious code from Word or other Office documents when they are opened.
The bug is very dangerous for assorted reasons – not the least of which is its wide attack surface, as it affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system & install programs, view, change or delete data, or even create new accounts.
Microsoft recently patched Follina in its June Patch Tuesday release but it remains under active exploit by threat players, including known APTs.
Threat of Nuclear Attack
Fancy Bear’s Follina campaign targets users with emails carrying a malicious RTF file called “Nuclear Terrorism A Very Real Threat” in an attempt to prey on victims’ fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers outlined in the post.
The content of the document is an article from the international affairs group Atlantic Council that examines the possibility that Putin will use nuclear weapons in the war in Ukraine.
Remote Template
The malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268[.]frge[.]io/article[.]html.
The HTML file then uses a JavaScript call to window.location.href to load & execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers observed.
The PowerShell loads the final payload–a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers commented.
Almost Identical
In other functionality, the recently seen variant is “almost identical” to the earlier one, “with just a few minor refactors & some additional sleep commands,” they added.
As with the previous variant, the stealer’s main purpose is to steal data—including website credentials such as username, password & URL–from several popular browsers, including Google Chrome, Microsoft Edge & Firefox. The malware then uses the IMAP email protocol to move data to its command-&-control server in the same way the earlier variant did but this time to a different domain, researchers suggested.
Different Domain
“The old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data,” they wrote. “The new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.”
The owners of the websites likely have nothing to do with APT28, with the group just taking advantage of abandoned or vulnerable sites, researchers concluded.
