Remote Code Execution
||Since no patch is available, it is recommended to follow these workarounds provided by Microsoft.|
CloudSEK’s Threat Research team has analyzed the 0day vulnerability that has been dubbed as Follina and has been given the CVE-2022-30190. The attack vector and the vulnerability very closely resembles CVE-2021-40444.
- CVE-2022-30190 has been dubbed Follina because the original exploit file references the number 0438, which is the Area Code of Follina in Italy.
- It is a remote code execution (RCE) vulnerability with zero-click vectors publicly available. Hence it is easy to exploit and can have a high impact on victims.
- This vulnerability/attack vector does not include the use of Macros which is what makes it even more dangerous as they are sandboxed now and have been disabled by default. This attack vector only needs opening the malicious document without enabling anything.
- Contrary to popular belief, this attack vector has been out in the open for 2 years. The exploitation of MS-msdt has been detailed in this research paper.
CloudSEK’s Threat Research team has identified that the Follina vulnerability was being exploited before the recent advisory and workarounds from Microsoft.
- In April 2022 crazyman_army highlighted the active exploitation of CVE-2022-30190. The vector was even reported to Microsoft but was not considered a valid issue.
- This issue was again identified by Nao_sec in May 2022. While researching for possible exploitation attempts for the CVE-2021-40444, Nao_sec stumbled on a file which was using ms-msdt payload to invoke powershell and execute commands, but was flagged as CVE-2017-0199 by VirusTotal. This sample was used to create PoC exploits, and since then Follina has gained significant public attention.
- The same attack vector was discovered in 2020 and has been out in the open for 2 years.
CloudSEK has already identified chatter on dark web forums discussing the usage of publicly available PoCs to bypass sandboxes and EDRs.
Threat actors and APT groups are quick to discover and exploit vulnerabilities in popular services. In this case, the low complexity of the attack vector, made it an especially attractive target. Chinese Threat Group TA413 has already started exploiting this vulnerability by impersonating the “Women Empowerment Desk” of the Central Tibetan Administration, as highlighted by the image below:
On dark web and cybercrime forums multiple threat actors are:
- Discussing the Follina vulnerability and possible exploitation methods.
- Selling mass exploiters for the CVE
To check for any exploitation attempts, attackers look into the following registry key for any suspicious domains that are reached out to by the Office application: HKEY_USERS\<SID>\SOFTWARE\Microsft\Office\16.0\Common\Internet\Server Cache. The IP address and port data listed under the above key shows the external connections made by the Office application.
The vulnerability involves sending a Microsoft office Document to the victim. Opening the document starts the WINWORD.exe which has an external reference to a malicious URI: xmlformats.com (This has been taken down now).
Attackers can use their own Command and Control servers by modifying the following file: word/_rels/document.xml.rels.
Once the attacker has modified the URI, the document, when opened, reaches out to the attacker’s C2 server and fetches malicious code which invokes powershell.
The original sample fetched the following file
If the file downloaded does not contain 4096 bytes, the msdt child process asks the user for a password. This is the reason why the file has redundant comments.
The WINWORD.exe process then starts the child process msdt.exe. Then MSDT is used invoke powershell and run a base64 encoded command which is:
Here the threat actor is trying to execute the final payload via MS command Line. The contents of the rgb.exe is not known currently. However, in the wild, threat actors are dropping Cobalt Strike Payloads, Stealers loaders, and other malware via encoded PS commands. Hence our best assumption is that rgb.exe can be the one illustrated above.
Threat Actors can now utilize the command running capability to laterally move through the victim’s infrastructure or to escalate privileges and drop ransomware, or to maintain persistence.
The screenshot is from the research paper that highlights the ms-msdt issue