Security News > 2022 > June > Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware
The Ukrainian Computer Emergency Response Team is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons.
The RTF document used in the APT28 campaign attempts to exploit CVE-2022-30190, aka "Follina," to download and launch the CredoMap malware on a target's device.
CredoMap is an unknown malware strain detected by several AV engines on Virus Total, with numerous vendors classifying it as a password-stealing Trojan.
CERT-UA warned about CVE-2022-30190 exploitation by Russian hackers of the Sandworm group last week, but this time, the threat actors responsible for the attacks are identified as the APT28 group.
APT28 is a Russian hacking group focusing on cyber espionage and is believed to have ties to the Russian government.
In this case, CERT-UA says the threat actor uses a DOCX file named "Imposition of penalties.docx", and the payload fetched from a remote resource is a Cobalt Strike beacon with a recent compilation date.
News URL
Related news
- North Korean Hackers Target Cryptocurrency Users on LinkedIn with RustDoor Malware (source)
- North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware (source)
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware (source)
- Hackers deploy AI-written malware in targeted attacks (source)
- Russia's digital warfare on Ukraine shows no signs of slowing - Malware hits surge (source)
- N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks (source)
- New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users (source)
- FIN7 hackers launch deepfake nude “generator” sites to spread malware (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- 100+ domains seized to stymie Russian Star Blizzard hackers (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-06-01 | CVE-2022-30190 | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Microsoft products A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. | 7.8 |