13 June 2022

Ukraine’s CERT warns of a phishing campaign delivering CrescentImp malware


Ukraine’s CERT warns of a phishing campaign delivering CrescentImp malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has shared details of a new malicious campaign targeting media organizations in Ukraine that is exploiting the recently disclosed Follina vulnerability (CVE-2022-30190) in order to infect victims’ machines with the CrescentImp malware.

CVE-2022-30190 is a security issue affecting the Microsoft Windows Support Diagnostic Tool (MSDT). It allows a remote attacker to execute arbitrary shell commands on the target system.

The campaign aimed at Ukrainian radio stations, news papers, news agencies, etc., involves malicious emails that contain an attached document with the subject “СПИСОК посилань на інтерактивні карти” (“A list of links to the interactive maps”). The CERT-UA team said it has identified over 500 email addresses targeted in this campaign.

Once a victim opens the document, an HTML file is downloaded onto the machine and a JavaScript code is executed. The code downloads and executes an EXE file named “2.txt,” which is the CrescentImp malware. This malware is fairly new, so at this point it’s hard to say what capabilities it has, but as with most trojans, CrescentImp likely can steal sensitive information from the infected computer and provide its operators with a backdoor, which can be used to download additional malware onto the machine.

CERT-UA, which tracks this malicious campaign as UAC-0113, attributes the activity with moderate confidence to the Russia-linked Sandworm advanced persistent threat group.

Earlier this month, the team said it detected a malicious campaign that exploited two Windows zero-day vulnerabilities, including CVE-2022-30190, to infect networks belonging to Ukrainian government agencies with the Cobalt Strike Beacon malware.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!

 

Back to the list

Latest Posts

Zero Day Initiative cuts some vulnerability disclosure timelines

Zero Day Initiative cuts some vulnerability disclosure timelines

The new approach is aimed at forcing vendors take a quicker action when it comes to ineffective patches.
17 August 2022
Ransomware gang target UK water supplier but send ransom demand to the wrong company

Ransomware gang target UK water supplier but send ransom demand to the wrong company

The threat actors claimed to have access to water treatment SCADA systems and “these systems which control chemicals in water.”
17 August 2022
Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022