New phishing campaign exploits Follina for Rozena backdoor delivery

Windows systems are being targeted by a new phishing campaign exploiting the Follina vulnerability, tracked as CVE-2022-30190, to deploy the Rozena backdoor malware, which has remote shell injection capabilities, The Hacker News reports. Threat actors commence the attack with a weaponized Office document, which establishes a connection with a Discord CDN URL to facilitate HTML file retrieval then resulting in the download of next-stage payloads, including the Rozena implant and a batch file for ending Microsoft Windows Support Diagnostic Tool processes, a report from Fortinet FortiGuard Labs revealed. Researchers noted that Rozena enables the injection of shellcode that would add a reverse shell to the host and eventually allow attackers to takeover the system while ensuring persistence. Attacks abusing the Follina flaw for malware delivery comes after the similar exploitation of Windows shortcut, Microsoft Excel, and ISO image files in social engineering attacks aimed at spreading the Emotet, IcedID, Bumblebee, and QBot malware strains.