Recently, the Ukrainian Computer Emergency Response Team (CERT) has warned that Russian hacker groups are using Follina for new phishing campaigns aimed at installing the CredoMap malware and the Colbalt Strike beacon. In particular, for the CredoMap campaign an RTF document was used to download and install the malware, while for the Cobalt Strike one a .docx file, called "Imposition of penalties.docx", was used to retrieve the payload from a remote resource (ked.dll).
Photo Credit: Bleeping Computer
The group responsible for the CreedMap attack is APT28 (also known as STRONTIUM, Fancy Bear and Sofacy), which is believed to have links to the Russian government and is mainly engaged in cyber espionage operations.
Instead, the one concerning Cobalt Strike was conducted by UAC-0098 and also in this case it exploited the sending of a document concerning the non-payment of taxes to lure many potential victims, especially considering the current situation in Ukraine .