13 June 2022

Ukraine’s CERT warns of a phishing campaign delivering CrescentImp malware


Ukraine’s CERT warns of a phishing campaign delivering CrescentImp malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has shared details of a new malicious campaign targeting media organizations in Ukraine that is exploiting the recently disclosed Follina vulnerability (CVE-2022-30190) in order to infect victims’ machines with the CrescentImp malware.

CVE-2022-30190 is a security issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system.

The campaign aimed at Ukrainian radio stations, news papers, news agencies, etc., involves malicious emails that contain an attached document with the subject “СПИСОК посилань на інтерактивні карти” (“A list of links to the interactive maps”). The CERT-UA team said it has identified over 500 email addresses targeted in this campaign.

Once a victim opens the document, an HTML file is downloaded onto the machine and a JavaScript code is executed. The code downloads and executes an EXE file named “2.txt,” which is the CrescentImp malware. This malware is fairly new, so at this point it’s hard to say what capabilities it has, but as with most trojans, CrescentImp likely can steal sensitive information from the infected computer and provide its operators with a backdoor, which can be used to download additional malware onto the machine.

CERT-UA, which tracks this malicious campaign as UAC-0113, attributes the activity with moderate confidence to the Russia-linked Sandworm advanced persistent threat group.

Earlier this month, the team said it detected a malicious campaign that exploited two Windows zero-day vulnerabilities, including CVE-2022-30190, to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!

 

Back to the list

Latest Posts

Cisco says decade-old bug in ASA appliances exploited in the wild

Cisco says decade-old bug in ASA appliances exploited in the wild

The activity involving CVE-2014-2120 has been linked to the Mozi botnet.
3 December 2024
North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

North Korea's Kimsuky group employs Russian sender addresses in phishing campaigns

The objective of the attacks is credential theft, enabling Kimsuky to hijack victim accountsю
3 December 2024
Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

Japanese crypto exchange DMM Bitcoin to shut down following $305M hack

It is believed that the North Korean state-backed threat actor Lazarus Group was behind the hack.
3 December 2024