Sandworm hackers used the Follina critical flaw to target Ukraine

June 17, 2022
Sandworm Hackers Follina Critical Flaw Ukraine Windows OS Computer

The Russian threat group Sandworm may be taking advantage of a recently disclosed Follina to target Ukraine. Follina is a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool, which researchers currently track as CVE-2022-30190.

The security flaw can be activated by opening or selecting a maliciously modified document. Therefore, different threat groups have exploited the flaw since its discovery last April.

Ukraine’s Computer Emergency Response Team (CERT) explained that they are confident to attribute the recent malicious activity to the Sandworm hacker group.

 

The Sandworm group released numerous emails that leveraged the Follina flaw.

 

CERT-UA stated that the Sandworm group deployed a new malicious email campaign that took advantage of the Follina critical vulnerability. The research team discovered that the targets of the emails are over 500 targets at multiple media organisations in Ukraine. Most of these organisations are composed of newspaper distributors and radio stations.

The emails used by the adversaries have a subject name called ‘LIST of links interactive maps.’ It also carried a [.]DOCX attachment with an identical subject line. If a target opens the malicious file, the JavaScript code will be executed by flaw to retrieve a payload coded as 2[.]txt. The researchers classify this payload as CrescentImp.

The researchers have given a short set of IoCs to aid other defenders in spotting Crescent infections. It is also hard for the researchers to classify what malware family type CrescentImp belongs to. Additionally, the hashes sent by the Ukrainian cybersecurity response team showed no detection on Virus Total.

Sandworm has been compromising Ukrainian entities constantly over the past few years, and the frequency of infections surged when the Russian invasion of Ukraine commenced last March.

Last April, researchers discovered that the group also attempted to shut down a sizeable Ukrainian energy provider by targeting its electrical substations with a variant of the Industroyer malware.

The United States has set a bounty that reached about $10 million for anyone who could pinpoint the location of six believed to be the members of the Russian threat group.

About the author