Russia-Linked “Fancy Bear” Exploiting Follina in New Phishing Campaign


Cute Koala Bear, Fancy

A Russia-linked advanced persistent threat (APT) group referred to as “Fancy Bear” (aka, “APT28,” “Strontium,” or “Sofacy”) has launched a new phishing campaign that paradoxically takes advantage of users’ fear of nuclear war to exploit the recently-discovered one-click Microsoft Office vulnerability called “Follina.”


Seemingly motivated by the Russia-Ukraine conflict, the objective of the campaign is to leverage Follina (CVE-2022-30190)—a one-click Microsoft flaw—to compromise operating systems, with a second stage of extracting credentials from Chrome, Firefox, and Edge browsers. This is according to research published by Malwarebytes Threat Intelligence over the last several days.


According to Malwarebytes, “This is the first time we’ve observed APT28 using Follina in its operations.” The researchers first observed the weaponized document on 20 June 2022, noting that it downloads and executes a .Net stealer tool first discovered by Google earlier this year. The Threat Analysis Group (TAG) at Google also asserted that Fancy Bear has been using this cyber weapon to specifically target users in the Ukraine. The researchers said that the current campaign employs a Word document with the title “Nuclear Terrorism A Very Real Threat,” and contains an article by that name published by Atlantic Council, an international affairs group, in which the possibility that Vladmir Putin uses nuclear weapons in the current conflict is explored.


Independently from Malwarebytes and Google, the Computer Emergency Response Team of Ukraine (CERT-UA) also observed the malicious attachment being used by Fancy Bear in recent phishing email blasts across Ukrainian networks. As time and resources allow, the group will no doubt expand the scope of attacks to include the citizens of Ukraine-friendly countries.

Ukrainian Flag

Since the early days of the Russian invasion, CERT-UA has watched as Fancy Bear—among many other Russia-linked cybercrime and APT groups—bombarding Ukraine with cyber-attacks. Fancy Bear has previously been implicated in attacks trying to interfere with United States and European elections.

In May, Follina was officially recognized as a zero-day having one-click exploitability via the Microsoft Support Diagnostic Tool (MSDT), also utilizing the ms-msdt protocol to execute malicious code when payloads in Microsoft Office documents are opened.


Microsoft Office bugs

The Microsoft vulnerability has a wide attack surface, as it has the potential to affect anyone using Microsoft Office and works with all supported versions of Windows. Microsoft patched Follina in its June Patch Tuesday release but, with many organizations failing to update software quickly, attackers are continuing to find vulnerable targets. Fancy Bear has apparently also worked to reduce blocking of their emails by security solutions by compromising legitimate organizations’ web servers and using those as the source of the phishing attacks, relying on the sites’ good reputations among security tools that use reference lists of known good and bad systems on the web.


Webcheck Security stands ready to assist your organization in reducing its risk exposure related to such bad actors as Fancy Bear and attack methods that take advantage of zero-day exploits such as Follina. Webcheck consultants will provide a free consultation to review your organization’s needs and present the most efficacious ways in which we can serve you.


To read more about Follina click here.


7 views0 comments