State-Backed Hacker Believed to Be Behind Follina Attacks on EU and US
An unidentified state actor is reportedly perpetrating a phishing campaign that targets European and local US government entities by leveraging the Follina Office vulnerability. Security researchers at Proofpoint spotted the hacking attempts and addressed the issue via Twitter last Friday from its Threat Insight account. In the series of tweets, the company describes the details of the campaign, including that it is targeting Proofpoint customers in the US and Europe.
According to Proofpoint, the campaign consisted of phishing emails pretending to be government resources offering a salary increase. The malicious emails leveraged RTF files with an exploit payload downloaded. The Powershell script was reportedly base64 encoded, according o Proofpoint. Once clicked, the script would check for virtualization, steal information from browsers, mail clients, and file services, and conduct machine recon. Proofpoint has not linked the campaign to any specific group, however, it believes the perpetrator may be a nation-state actor.