Rozena backdoor delivered by exploiting the Follina bug

Threat actors are exploiting the disclosed Follina Windows vulnerability to distribute the Rozena backdoor.

Fortinet FortiGuard Labs researchers observed a phishing campaign that is leveraging the recently disclosed Follina security vulnerability (CVE-2022-30190, CVSS score 7.8) to distribute the Rozena backdoor on Windows systems.

The Follina issue is a remote code execution vulnerability that resides in the Microsoft Windows Support Diagnostic Tool (MSDT).

The Rozena backdoor is able to inject a remote shell connection back to the attacker’s machine

The attack chain leverages a weaponized Office document that once clicked, it starts connecting to an external Discord CDN URL to download an HTML file (index.htm).

Then the HTML file invokes the msdt.exe tool with a PowerShell command which also invokes another web request to download the Rozena backdoor and save it as “Word.exe.”

“The PowerShell code will download one batch file cd.bat and start it with no window to hide itself. Then it invokes another web request to download Rozena and saves as “Word.exe” in the Windows Tasks folder.” reads the post published by Fortinet FortiGuard Labs.

“the attacker decided to distract the victim. The original file has no content besides an external link in oleObject. To keep the victim from noticing anything odd the batch file downloads another Word document, 1c9c88f811662007.docx with a lot of pictures in it. To make it seem more real, this document is saved in directory C:\\users\$env:USERNAME\Downloads, with a shorter name, 18562.docx.”

The main feature of the Rozena backdoor is to inject shellcode that launches a reverse shell to the attacker’s machine (“microsofto.duckdns[.]org”), in this way the attacker can take full control of the system.

Once the Rozena executable is run, it will create a process for a PowerShell command, experts pointed out that the decoded command has only one job to do, injecting the shellcode.

Additional technical details about the backdoor, including indicators of compromise (IoCs) are included in the analysis published by Fortinet.

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware though an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Rozena backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]