Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug

The APT is pairing a known Microsoft flaw with a malicious document to load malware that nabs credentials from Chrome, Firefox and Edge browsers.

Advanced persistent threat group Fancy Bear is behind a phishing campaign that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.

The attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for Follina (CVE-2022-30190), a known Microsoft one-click flaw, according to a blog post published this week.

“This is the first time we’ve observed APT28 using Follina in its operations,” researchers wrote in the post. Fancy Bear is also known as APT28, Strontium and Sofacy.Infosec Insiders Newsletter

On June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first reported by Google. Google’s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.

The Computer Emergency Response Team of Ukraine (CERT-UA) also independently discovered the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.

Bear on the Loose

CERT-UA previously identified Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.

In the past Fancy Bear has been linked in attacks targeting elections in the United States and Europe, as well as hacks against sporting and anti-doping agencies related to the 2020 Olympic Games.

Researchers first flagged Follina in April, but only in May was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they’re opened.

The bug is dangerous for a number of reasons–not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.

Microsoft recently patched Follina in its June Patch Tuesday release but it remains under active exploit by threat actors, including known APTs.

Threat of Nuclear Attack

Fancy Bear’s Follina campaign targets users with emails carrying a malicious RTF file called “Nuclear Terrorism A Very Real Threat” in an attempt to prey on victims’ fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an article from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.

The malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268[.]frge[.]io/article[.]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.

The PowerShell loads the final payload–a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.

In other functionality, the recently seen variant is “almost identical” to the earlier one, “with just a few minor refactors and some additional sleep commands,” they added.

As with the previous variant, the stealer’s main pupose is to steal data—including website credentials such as username, password and URL–from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.

“The old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data,” they wrote. “The new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.”

The owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.

Suggested articles