June 9, 2023

Reearchers seen a phishing campaign that is making use of Follina security vulnerability to distribute the Rozena backdoor on Windows systems.

The Rozena backdoor is able to inject a remote shell connection back to the attacker’s machine by leveraging weaponized Office document that once clicked, it starts connecting to an external Discord CDN URL to download an HTML file (index.htm).


Afert then, the HTML file invokes the msdt.exe tool with a PowerShell command which also invokes another web request to download the Rozena backdoor and save it as “Word.exe.”

The PowerShell code will download one batch file cd.bat and start it with no window to hide itself. Then it invokes another web request to download Rozena and saves as “Word.exe” in the Windows Tasks folder.

The original file has no content besides an external link in oleObject. To make it seem more real, this document is saved in directory C:\users\$env:USERNAME\Downloads, with 18562.docx.”


Rozena backdoor exclusive feature is to inject shellcode that launches a reverse shell to the attacker machine, in this way the attacker can take full control of the system.

Once the Rozena executable is run, it will create a process for a PowerShell command, experts pointed out that the decoded command has only one job to do, injecting the shellcode.

Users should apply the patch immediately to protect for this threat.


Indicators of Compromise

  • 432bae48edf446539cae5e20623c39507ad65e21cb757fb514aba635d3ae67d6
  • 5d8537bd7e711f430dc0c28a7777c9176269c8d3ff345b9560c8b9d4daaca002
  • 3558840ffbc81839a5923ed2b675c1970cdd7c9e0036a91a0a728af14f80eff3
  • 27f3bb9ab8fc66c1ca36fa5d62ee4758f1f8ff75666264c529b0f2abbade9133
  • 69377adfdfa50928fade860e37b84c10623ef1b11164ccc6c4b013a468601d88

Leave a Reply

%d bloggers like this: