3 June 2022

Hackers use recently disclosed Windows MSDT zero-day in attacks targeting state bodies in Ukraine


Hackers use recently disclosed Windows MSDT zero-day in attacks targeting state bodies in Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new malicious campaign that exploits two Windows zero-day vulnerabilities in order to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Cobalt Strike is a paid penetration testing product that allows threat actors to deploy an agent named 'Beacon' on the victim machine. Beacon’ functionality includes (but not limited to) command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement.

The observed campaign involves phishing emails with the subject “Зміни оплата праці з нарахуваннями” (“Salary changes with accruals”) with an attachment in the form of a malicious Microsoft Word document, which contains a link to an HTML file. Once the document is opened, JavaScript code is executed on the machine, which triggers the exploitation of the CVE-2021-40444 and CVE-2022-30190 vulnerabilities, and ultimately leads to the download of Cobalt Strike Beacon onto a compromised computer.

CVE-2021-40444 is an RCE vulnerability within the Windows MSHTML component. It allows a remote hacker to execute code on a victim machine using a specially crafted Office document with a malicious ActiveX control inside.

CVE-2022-30190 is a recently disclosed issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system. At present, there is no fix available for this bug.

CERT-UA’s advisory also includes Indicators of Compromise (IoCs) related to this campaign.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!

Back to the list

Latest Posts

Iranian hackers exploit RMM tools to deliver malware

Iranian hackers exploit RMM tools to deliver malware

One of the aspects of MuddyWater's strategy involves exploiting Atera's free trial offers.
24 April 2024
Ongoing malware campaign targets multiple industries, distributes infostealers

Ongoing malware campaign targets multiple industries, distributes infostealers

The campaign leverages a CDN cache domain as a download server, hosting malicious HTA files and payloads.
24 April 2024
US charges four Iranian hackers for cyber intrusions

US charges four Iranian hackers for cyber intrusions

The group targeted both both government and private entities.
24 April 2024