"Hackers Exploiting Follina Bug to Deploy Rozena Backdoor"

A new phishing campaign has been discovered using the recently disclosed Follina security vulnerability to distribute a previously unknown backdoor on Windows systems. According to Fortinet FortiGuard Labs researcher Cara Lin, Rozena is a backdoor malware capable of injecting a remote shell connection back to the attacker's machine. The now-patched Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability, tracked as CVE-2022-30190, has been heavily exploited in recent weeks since it was discovered in late May 2022. The latest attack chain begins with a weaponized Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file which, in turn, invokes the diagnostic utility via a PowerShell command to download next-stage payloads from the same CDN attachment space. This includes the Rozena implant and a batch file designed to terminate MSDT processes, set up the backdoor through Windows Registry modification, and download a harmless Word document as a decoy. The malware's primary function is to inject shellcode that launches a reverse shell to the attacker's host, allowing the malicious actor to gain control of the system needed to monitor and capture data while maintaining a backdoor to the compromised system. The Follina flaw is being used to distribute malware via malicious Word documents as part of social engineering attacks that use Microsoft Excel, Windows shortcut (LNK), and ISO image files as droppers to deploy malware such as Emotet, QBot, IcedID, and Bumblebee to a victim's device. This article continues to discuss the exploitation of the Follina vulnerability to deploy the Rozena backdoor. 

THN reports "Hackers Exploiting Follina Bug to Deploy Rozena Backdoor"