Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Rozena backdoor delivered by exploiting the Follina bug

Threat actors are exploiting the disclosed Follina Windows vulnerability to distribute the Rozena backdoor. Fortinet FortiGuard Labs researchers observed a phishing campaign that is leveraging the recently disclosed Follina security vulnerability (CVE-2022-30190, CVSS score 7.8) to distribute the Rozena backdoor on Windows systems. The Follina issue is a remote code execution vulnerability that resides in […]

Folina Rozena backdoor 2

Threat actors are exploiting the disclosed Follina Windows vulnerability to distribute the Rozena backdoor.

Fortinet FortiGuard Labs researchers observed a phishing campaign that is leveraging the recently disclosed Follina security vulnerability (CVE-2022-30190, CVSS score 7.8) to distribute the Rozena backdoor on Windows systems.

The Follina issue is a remote code execution vulnerability that resides in the Microsoft Windows Support Diagnostic Tool (MSDT).

The Rozena backdoor is able to inject a remote shell connection back to the attacker’s machine

The attack chain leverages a weaponized Office document that once clicked, it starts connecting to an external Discord CDN URL to download an HTML file (index.htm).

Folina Rozena backdoor

Then the HTML file invokes the msdt.exe tool with a PowerShell command which also invokes another web request to download the Rozena backdoor and save it as “Word.exe.”

“The PowerShell code will download one batch file cd.bat and start it with no window to hide itself. Then it invokes another web request to download Rozena and saves as “Word.exe” in the Windows Tasks folder.” reads the post published by Fortinet FortiGuard Labs.

“the attacker decided to distract the victim. The original file has no content besides an external link in oleObject. To keep the victim from noticing anything odd the batch file downloads another Word document, 1c9c88f811662007.docx with a lot of pictures in it. To make it seem more real, this document is saved in directory C:\\users\$env:USERNAME\Downloads, with a shorter name, 18562.docx.”

The main feature of the Rozena backdoor is to inject shellcode that launches a reverse shell to the attacker’s machine (“microsofto.duckdns[.]org”), in this way the attacker can take full control of the system.

Once the Rozena executable is run, it will create a process for a PowerShell command, experts pointed out that the decoded command has only one job to do, injecting the shellcode.

Folina Rozena backdoor 2

Additional technical details about the backdoor, including indicators of compromise (IoCs) are included in the analysis published by Fortinet.

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware though an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Rozena backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]