"Cobalt Strike And CredoMap Malware Used by Russian Government Hackers to Attack Ukraine"
According to the Ukrainian Computer Emergency Response Team (CERT-UA), Russian hacker gangs have been using the Follina code execution vulnerability in recent phishing attempts to install the CredoMap malware and Cobalt Strike beacons. The APT28 hacking group is suspected of sending emails containing the attachment "Nuclear Terrorism A Very Real Threat.rtf." The threat actors chose the subject of this email to entice users to open it, capitalizing on Ukrainians' widespread fear of a nuclear attack. Threat actors used a similar strategy in May 2022, when CERT-UA discovered the spread of fraudulent papers warning about a chemical attack. The RTF document attempts to use Follina to download and run the CredoMap malware on a target's machine. This vulnerability in the Microsoft Diagnostic Tool has been exploited in the wild since at least April 2022, allowing malicious downloads to be initiated simply by opening a document file or, in the case of RTFs, by viewing it in the Windows preview window. CredoMap malware attempts to steal information such as account passwords and cookies from Chrome, Edge, and Firefox. It uses the IMAP email protocol to transfer the stolen data to the command-and-control (C2) address, which is hosted on an abandoned Dubai-based website. This article continues to discuss APT28's exploitation of the Follina code execution vulnerability in recent phishing attempts to install CredoMap malware and Cobalt Strike beacons.