Hackers exploit Follina bug to deploy Rozena Backdoor
A recently observed phishing campaign exploits the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.
“Rozena is a backdoor malware capable of injecting a remote shell login to the attacker’s machine,” said Cara Lin, researcher at Fortinet FortiGuard Labs. said in a report this week.
Tracked as CVE-2022-30190, the now patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has been heavily exploited in recent weeks since it was discovered in late May 2022.
The starting point of the latest attack chain observed by Fortinet is a office document which, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.htm“) which, in turn, invokes the diagnostic utility using a PowerShell command to download the next stage payloads from the same CDN attachment space.
This includes the Rozena implant (“Word.exe”) and a batch file (“cd.bat”) designed to terminate MSDT processes, establish persistence of the backdoor by way of editing the Windows registry, and download a harmless Word document as a decoy.
The main function of the malware is to inject shellcode that launches a reverse shell on the attacker’s host (“microsofto.duckdns[.]org”), ultimately allowing the attacker to take control of the system required to monitor and capture information, while maintaining a backdoor to the compromised system.
Exploitation of the Follina flaw to distribute malware via malicious Word documents comes in the form of social engineering attacks lean on Microsoft Excel, Windows shortcut (LNK) and ISO image files as a dropper to deploy malware such as Emotet, QBot, IcedID and Bumblebee to a victim’s device.
Droppers are said to be distributed via emails that directly contain the dropper or a password-protected ZIP attachment, an HTML file that extracts the dropper when opened, or a link to download the dropper in the body of the email.
While the attacks spotted in early April highlighted Excel files with XLM macros, Microsoft’s decision to block macros by default around the same time would have forced threat actors to turn to alternative methods like the contraband HTML as well as .LNK and .ISO files. .
Last month, Cyble leaked details of a malicious tool called Quantum which is being sold on underground forums to give cybercriminals the ability to create malicious .LNK and .ISO files.
It is worth noting that macros have been a proven attack vector for adversaries seeking to remove ransomware and other malware from Windows systems, whether through phishing emails or other means.
Microsoft has since temporarily suspended plans to disable Office macros in files downloaded from the internet, with the company telling The Hacker News it was taking the time to make “additional changes to improve usability”.