Proofpoint has blocked a phishing campaign aimed at its customers, which are European and US governments. Cybercriminals attempted to exploit the infamous Follina vulnerability (CVE-2022-30190) in Windows using malicious RTF documents.

The Follina vulnerability resides in Microsoft Windows Support Diagnostic Tool (MSDT). It is a remote code execution bug, which affects all supported Windows versions. Successful exploitation of this bug could allow to execute arbitrary code with the privileges of the calling app to install programs, view, change, delete data, or create new Windows accounts. As of now, the vulnerability has yet to be patched

In the new campaign discovered by Proofpoint, the hackers used a phishing scam to convince victims to open the malicious documents. According to the researchers, the threat actors sent  phishing messages to the government organizations employees with malicious documents promising a salary increase. Eventually, these documents deployed a PowerShell script as the final payload.

This script would check if the targeted system is a virtual machine, steal information from web browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, etc.), mail clients, and file services, and steal system information (computer information, list of usernames, Windows domain information).

Proofpoint believes that this malicious operation was conducted by a nation state but doesn’t attribute it to a specific threat actor. The researches have made this conclusion based on both the extensive recon of the PowerShell and tight concentration of targeting.

Last week, the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new malicious campaign that exploits two Windows zero-day vulnerabilities, including CVE-2022-30190. The hackers used it to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.