State-Backed Hacker Believed to Be Behind Follina Attacks on EU and US

  • An unnamed state actor is reportedly behind a phishing campaign targeting European and local US government entities using the Follina Office Vulnerability.

    The hacking attempts were spotted by cybersecurity firm Proofpoint, which posted a series of tweets last Friday from its Threat Insight account describing the campaign’s details.

    “Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina,” reads the first tweet.

    According to the security experts, the phishing campaign targeted government employees, offering a salary increase and utilizing an RTF file with the exploit payload downloaded from 45.76.53[.]253.

    The downloaded Powershell script was reportedly base64 encoded and used Invoke-Expression to download an additional PS script from seller-notification[.]live.

    Once downloaded the script would check for virtualization, steal information from local browsers, mail clients and file services, conduct machine recon and then zip it for exfil to be sent to the 45.77.156[.]179 IP address.

    While Proofpoint did not directly link the campaign to any specific hacker groups, the company said the characteristics of the attack hint at a nation-state actor. At the same time, the company did not name any specific countries at the time of writing.

    “While Proofpoint suspects this campaign to be by a state aligned actor based on both the extensive recon of the Powershell and tight concentration of targeting, we do not currently attribute it to a numbered TA.”

    The Follina vulnerability, which exploits Microsoft Windows Support Diagnostic Tool (MSDT) to gain remote access to target systems has not yet been officially patched by the Windows giant. Instead, Microsoft advised users to disable the ms-msdt protocol.

    An unofficial patch has been released by security researchers 0patch, which allows MSDT to remain active.

    “It would be by far the simplest for us to just disable msdt.exe by patching it with a TerminateProcess() call. However, that would render Windows diagnostic wizardry inoperable,” the company wrote in a blog post.

    Instead, 0patch decided to place the patch in sdiagnhost.exe before the RunScript call and check if the user-provided path contains a “$(“sequence, which is necessary for injecting a PowerShell subexpression.

    “If one is detected, we make sure the RunScript call is bypassed while the Diagnostic Tool keeps running.”