Rozena Backdoor Malware Uses a Fileless Attack to Injecting Remote shell on Windows

In order to distribute a previously undocumented backdoor named Rozena on Windows systems, an phishing campaign has recently been observed that leverages the recently disclosed Follina vulnerability.

The Microsoft Windows Support Diagnostic Tool (MSDT) is an application that is designed for remote code execution, resulting in a CVE-2022-30190 vulnerability that was published in May 2022.

A malicious external link can be embedded in a Microsoft Office document to trigger an exploit that will allow attackers to inject a malicious OLE object in the file and lure victims into clicking on the link or simply previewing the document.

  • CVE ID: CVE-2022-30190
  • Description: Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
  • Released: May 30, 2022
  • CVSS: 7.0
  • Affected platforms: Microsoft Windows
  • Impact parties: Microsoft Windows Users
  • Impact: Full Control of Affected Machine
  • Severity: Critical

Technical Analysis

Upon opening a weaponized document that contains a Discord CDN URL as a starting point, the document connects to a Discord CDN URL in order to retrieve an HTML file (“index.htm”) as the result of the latest attack chain observed by Fortinet. 

This, in turn, summons a PowerShell command to begin the diagnostic utility, which, then downloads the next-stage payloads from the same CDN attachment space to complete the diagnostic process.

In the package there are two files – the Rozena implant (Word.exe) and a batch file (cd.bat) which are responsible for performing the following tasks and activities:-

  • Terminates the MSDT process.
  • By modifying the Windows Registry, the backdoor can be made persistent and remain undetectable for a long time.
  • Create a decoy Word document by downloading a harmless document.

By injecting shellcode into the file, the malware transmits a reverse shell request to the host (“microsofto.duckdns[.]org”) of the attacker. As a result, a Rozena backdoor to the compromised system is left open, allowing the attacker to control the monitoring system and capture information.

Files and Malware Used

According to the Fortinet report, Malicious Word documents are being used to spread malware exploiting the Follina flaw. By exploiting the following files, the attackers use social engineering techniques to exploit the vulnerability:-

  • Microsoft Excel
  • Windows shortcut (LNK)
  • ISO image files

Here, all these above-mentioned files were used by the threat actors as droppers to deploy malware on the victim’s device. And here below we have mentioned all the types of malware used:-

This critical vulnerability “CVE-2022-30190” could be exploited by threat actors in order to deliver malware via Word documents, thus creating an easy way for malware to spread. 

As of June 14, 2022, Microsoft has already released a patch to address this issue. Moreover, FortiGuard’s cybersecurity analysts have strongly recommended that users should apply the patch immediately in order to prevent this vulnerability.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.