The Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers of emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for protecting against them.
The Cybereason team is investigating a Microsoft Office code execution vulnerability that was first observed in the wild, uploaded from an IP address in Belarus.
After investigating, the observed sample delivered malware without the necessity for the victim to allow macro execution. This vulnerability, dubbed Follina, is very likely to be mass-exploited.
Microsoft has identified this vulnerability as CVE-2022-30190 and released appropriate guidance.
This section describes the different processes that we observed, involved in the Follina vulnerability exploitation. The following diagram represents the overall malicious activity seen in a Follina exploitation chain:
Follina is exploited through the execution of a customized Microsoft Word file:
Follina leverages the Microsoft Word remote template feature to download an HTML file, which then uses the “ms-msdt” URL scheme to execute PowerShell. The winword.exe process will thus generate network connections.
The following C2 domains were observed, used as an external reference (in document.xml.rels for OpenXML files) in known malicious samples :
As a result of the HTML file downloading and parsing, winword.exe spawns a msdt.exe child process that contains the malicious payload:
“C:\\WINDOWS\\system32\\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param ""IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$([Powershell Code])\'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"
In the command line, we can observe that the malicious PowerShell code starts after the “IT_BrowseForFile” primitive. It is important to note that the exploitation might not be limited to winword.exe but can also affect other Microsoft Office products like Outlook, Excel, etc.:
As a result of the creation of the msdt.exe process, the sdiagnhost.exe process is created within less than a second, with svchost.exe as a parent process. The sdiagnhost.exe process executes the PowerShell code and any process creation from PowerShell will have sdiagnhost.exe as the parent process:
The vulnerability has already been reproduced and can be leveraged to execute actions on the vulnerable machines.
Finally, the attack surface of MS Protocol, in Office, is wider than the “ms-msdt” protocol and can be extended to leverage new attacks in the future. Thus, the Cybereason team advises to focus on the detection of malicious processes spawning as children from Microsoft Office-related processes.
The Cybereason XDR Platform detects and prevents the Follina vulnerability in Microsoft products. Cybereason recommends the following:
Loïc Castel is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research.