The Computer Emergency Response Team of Ukraine (CERT-UA) has shared details of a new malicious campaign targeting media organizations in Ukraine that is exploiting the recently disclosed Follina vulnerability (CVE-2022-30190) in order to infect victims’ machines with the CrescentImp malware.

CVE-2022-30190 is a security issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system.

The campaign aimed at Ukrainian radio stations, news papers, news agencies, etc., involves malicious emails that contain an attached document with the subject “СПИСОК посилань на інтерактивні карти” (“A list of links to the interactive maps”). The CERT-UA team said it has identified over 500 email addresses targeted in this campaign.

Once a victim opens the document, an HTML file is downloaded onto the machine and a JavaScript code is executed. The code downloads and executes an EXE file named “2.txt,” which is the CrescentImp malware. This malware is fairly new, so at this point it’s hard to say what capabilities it has, but as with most trojans, CrescentImp likely can steal sensitive information from the infected computer and provide its operators with a backdoor, which can be used to download additional malware onto the machine.

CERT-UA, which tracks this malicious campaign as UAC-0113, attributes the activity with moderate confidence to the Russia-linked Sandworm advanced persistent threat group.

Earlier this month, the team said it detected a malicious campaign that exploited two Windows zero-day vulnerabilities, including CVE-2022-30190, to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!