Russian dissidents targeted with MSHTML-exploiting phishing campaign

Russian individuals and government entities that do not agree with the country's actions in the ongoing invasion of Ukraine are being targeted in a spearphishing campaign led by a Ukraine-based threat actor, Threatpost reports. MalwareBytes researchers discovered that the attacker impersonates the Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation, as well as the Federal Service for Supervision of Communications, Information Technology and Mass Communications in emails warning entities leveraging social networking sites, websites, instant messaging applications, and VPN services that have been banned by the Russian government that they will face punishment for their actions. The attacker has been using two documents that exploit the already patched MSHTML vulnerability, tracked as CVE-2021-40444. A new MSHTML exploit variant dubbed "CABLESS" has also been leveraged in the campaign. "Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability," wrote MalwareBytes Threat Intelligence Analyst Hossein Jazi.