VTA-00420 – Leveraging Follina (CVE-2022-30190) To Deploy Rozena Backdoor
A recently discovered phishing campaign is using the security hole known as Follina to distribute an unauthorised backdoor on Windows systems by using document that exploited CVE-2022-30190. Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker’s machine. The starting point for the attack chain is a weaponized Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.html”).Then it invokes the msdt.exe tool using a PowerShell command to download the Rozena backdoor and save it as “Word.exe”.The Rozena backdoor’s primary feature is the ability to inject shellcode that creates a reverse shell on the attacker’s workstation, allowing the attacker to gain complete control of the system.Once the Rozena executable has finished running,the decoded PowerShell command will only have one task to do, which is injecting the shellcode.
Endpoint OS, Office 365
Command and Control, Defense Evasion, Execution, Persistence
Application Layer Protocol: Web Protocols, Data Encoding: Standard Encoding, Template Injection, User Execution,Accessibility Features,PowerShell Profile
Active Defense Tactics:
Active Defense Techniques:
Isolation, Network Monitoring, Software Manipulation
Indicator of Compromise:
SuperPRO’s Threat Countermeasures Procedures:
1. To add the IOC signature into endpoint security protection as the custom threat detection rules.
2. To disable the MSDT URL Protocol to prevent troubleshooters being launched through links.
3. To always ensure file is safe before disabling “Protected View”
4. To apply Microsoft’s June 2022 security patch.
5. Users should be trained to recognize common types of Social Engineering tactics.
6. IDS/IPS should be configured properly.
7. Antimalware tool should be updated and configured.
8. To enable auto-updates ensuring software is always up to date
Contributed by: Mute