Some European governments have been the target of a phishing campaign that uses malicious rich text documents (RTF from Rich Text Format). These documents were designed to exploit a critical (zero-day) Windows vulnerability known as Follina.
"Proofpoint blocked a suspicious phishing campaign that was trying to take advantage of Follina /CVE_2022_30190", Revealed security researchers of the company Proofpoint.
The attackers used promises of salary increases to get employees to open documents containing a malicious Powershell script.
With the PowerShell script of this attack, attackers are able to gather large amounts of information:
Codes access from browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Opera, Yandex, Vivaldi, CentBrowser, Comodo, CheDot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc and AVAST Browser.
Data from other applications: Mozilla Thunderbird, Netsarang session files, Windows Live Mail contacts, Filezilla passwords, ToDesk configuration file, WeChat, Oray SunLogin RemoteClient, MailMaster, ServU, Putty, FTP123, WinSCP, RAdmin, Microsoft Office, Navicat
Information from Windows: Computer information, list of usernames, information domain of Windows
Proofpoint suspects that this campaign is being run by a government.
The security loophole used in these attacks is monitored as CVE-2022-30190, and Redmond reports it as a remote code execution error in the Microsoft Windows Support Diagnostic Tool (MSDT).
CVE-2022-30190 is still unrepaired and affects all versions of Windows that still receive security updates (ie, Windows 7+ and Server 2008+).
While Microsoft has not yet released updates that fix CVE-2022-30190 vulnerabilities, CISA urges administrators and Windows users disable the MSDT protocol used in these attacks, since exploit is already on the internet.
Until Microsoft releases official security updates, you can repair your systems using unofficial updates released by micropatching 0patch (registration required and not recommended).
