Leveraging Follina (CVE-2022-30190) To Deploy Rozena Backdoor

Posted by on | Featured | No Comments

VTA-00420 – Leveraging Follina (CVE-2022-30190) To Deploy Rozena Backdoor


A recently discovered phishing campaign is using the security hole known as Follina to distribute an unauthorised backdoor on Windows systems by using document that exploited CVE-2022-30190. Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker’s machine. The starting point for the attack chain is a weaponized Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.html”).Then it invokes the msdt.exe tool using a PowerShell command to download the Rozena backdoor and save it as “Word.exe”.The Rozena backdoor’s primary feature is the ability to inject shellcode that creates a reverse shell on the attacker’s workstation, allowing the attacker to gain complete control of the system.Once the Rozena executable has finished running,the decoded PowerShell command will only have one task to do, which is injecting the shellcode. 

Severity:
High

Attack Surfaces:
Endpoint OS, Office 365

Tactics:
Command and Control, Defense Evasion, Execution, Persistence

Techniques:
Application Layer Protocol: Web Protocols, Data Encoding: Standard Encoding, Template Injection, User Execution,Accessibility Features,PowerShell Profile

Active Defense Tactics:
Detect, Disrupt

Active Defense Techniques:
Isolation, Network Monitoring, Software Manipulation

Indicator of Compromise:
https://otx.alienvault.com/pulse/62c95c7de16117976be5fcf4

SuperPRO’s Threat Countermeasures Procedures: 
1. To add the IOC signature into endpoint security protection as the custom threat detection rules. 
2. To disable the MSDT URL Protocol to prevent troubleshooters being launched through links.    
3. To always ensure file is safe before disabling “Protected View”  
4. To apply Microsoft’s June 2022 security patch. 
5. Users should be trained to recognize common types of Social Engineering tactics. 
6. IDS/IPS should be configured properly.
7. Antimalware tool should be updated and configured. 
8. To enable auto-updates ensuring software is always up to date

Contributed by:  Mute

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>