A number of European governments have been the targets of a phishing campaign using malicious Rich Text Format (RTF) documents. The documents in question were designed to exploit a critical vulnerability of the Windows (zero-day) known as Follina.
"Proofpoint blocked a suspicious phishing campaign that was trying to take advantage of Follina /CVE_2022_30190", its security researchers revealed companys Proofpoint.
The attackers used promises of salary increases to get employees to open documents containing a malicious Powershell script.
With the PowerShell script of this attack, attackers are able to gather large amounts of information:
Passwords from programs browsing: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc and AVAST Browser.
Data from other applications: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat
Information from Windows: Computer information, username list, Windows domain information
Proofpoint suspects that this campaign is being run by a government.
The security loophole used in these attacks is monitored as CVE-2022-30190, and Redmond reports it as a remote code execution error in the Microsoft Windows Support Diagnostic Tool (MSDT).
CVE-2022-30190 is still unrepaired and affects all versions of Windows that still receive security updates (ie, Windows 7+ and Server 2008+).
While Microsoft has not yet released updates that fix CVE-2022-30190 vulnerabilities, CISA urges administrators and Windows users disable the MSDT protocol used in these attacks, since exploit is already on the internet.
Until Microsoft releases official security updates, you can repair your systems using unofficial updates released by micropatching 0patch (registration required and not recommended).