Follina Vulnerability (CVE-2022-30190)
Summary
A zero-day vulnerability known as Follina (CVE-2022-30190) was identified where it is a Remote Code Execution (RCE) vulnerability found in the Microsoft Windows Support Diagnostic Tool (MSDT). The Chinese government-affiliated TA413 CN APT group was found exploiting this vulnerability since it was discovered, and initial attacks have been observed in the Philippines, Nepal, and India. This MSDT tool is typically used as a troubleshooting wizard (collecting and submitting system information to Microsoft Support) and is native to all versions of Microsoft Windows. This vulnerability allows attackers to execute PowerShell commands through the Microsoft Office documents without any Macros. The vulnerability is also exploitable in versions of Microsoft Office: 2013, 2016, 2019, 2021, Office ProPlus, and Office 365. According to Microsoft “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
How It Works?
A nao_sec security researcher tweeted on May 27, 2022, that they had seen on VirusTotal a malicious Microsoft Word document. As per the tweet, the document appears to be invoking the MSDT tool with some parameters and attempting to execute some base64 encoded strings. The word document contains embedded code, which, in turn, calls an HTML file from an external source, which in favor executes more (malicious) code and prevents Microsoft Defender for Endpoints from identifying the threat.
Initial Access
MSDT tool is typically utilized by the applications such as MS Office documents for interacting and sharing the diagnostics information to the Microsoft. This Follina vulnerability allows remote code execution using the privileges of the calling process. An attacker can exploit this vulnerability to execute any arbitrary code. This vulnerability has been exploited in the wild using MS Office documents sent via email to execute malicious payloads (such as the Turian Backdoor and Cobalt Strike). Initially, a doc sample named “VIP Invitation to Doha Expo 2023.docx” (7c4ee39de1b67937a26c9bc1a7e5128b) was identified where it used WebDAV to download CobaltStrike.
Execution
Follina attacks involve loading an external HTML link that points to a malicious website. The most terrifying part of this vulnerability is that even when macros are disabled on a system, the “Protected View” feature can still be used to execute code under the security context of the user running the MS Office document. Furthermore, this vulnerability leverages the location.href and window.location.href HTML methods effectively.
Command And Control
After the user clicks the malicious document, a connection will be established with the host hxxp://141.98.215.99/color.html, which then serves a malicious document containing a malicious ms-msdt: command-invoking PowerShell script.
Obfuscation
After that, it attempts to locate a base64 encoded string in a RAR file, which came with the doc, and then copies that to C:\Users\public directory. The base64 encoding in the data makes it clear that svchosts.exe, which is the backdoor, was downloaded via MSDT URL PROTOCOL.
Execution
Decoding the string ‘TVNDRgAAAA,’ we can interpret it to ‘MSCF…’ upon doing a little research, we learned that these bytes are part of the magic bytes of a file format called Cabinet by Microsoft and saved to a file called 1.t. Then a file called rgb.exe is run, which could be the stage 2 payload, like a Remote Access Trojan, which could further aid in getting the victim under control.
Defense Evasion
The program attempts to run the command prompt in hidden mode and terminate the MSDT process to do some cleanup.
Impact
The Follina vulnerability has been detected in most Microsoft products. Follina’s impact is significant since it affects all forms of Microsoft Office – 2013, 2016, and 2019 – on all versions of currently supported Microsoft Windows operating systems – even Windows Server 2022! Over 1 billion devices are running Microsoft Office worldwide, making it the most popular productivity suite on Earth. Microsoft eventually acknowledged the threat and assigned CVE-2022-30190 for tracking purposes as other researchers realized the negative impact of this low-interaction vulnerability.
Mitigation
Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability—CVE-2022-30190, known as “Follina”—affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows.
How to Defend Your Network from Zero-Day Vulnerabilities
Cyber security threats and Zero-day vulnerabilities are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, rootkits, file-less malware, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).
