Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Exploits

Microsoft Office Zero-day “Follina” Allows Attackers to Execute PowerShell Scripts

Kyle by Kyle
May 31, 2022 - Updated on June 2, 2022
in Exploits
0
Microsoft Office zero-day exploit CVE-2022-30190
82
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

Researchers have discovered a new Microsoft Office zero-day vulnerability that is being used to carry out attacks in the wild. The zero-day has been dubbed Follina.

You might also like

Google reports a rise in ransomware attacks

Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

Citrix exploit CWE-284 allows hackers to reset admin password

The attacks have been found to execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT) packed into a simple Word Document.

The vulnerability was assigned a CVE or tracking number today, CVE-2022-30190. Due to the vulnerability being so new, the infosec community has also been to referring to it as “Follina” before the CVE number had been assigned.

This zero-day allows attackers to access a new critical attack vector by leveraging Microsoft Office programs, which a majority of Windows PCs have installed. It also has the ability to work without admin privileges, bypass Windows Defender detection, and does not require any macro code to be enabled to execute a script or executable file.

Microsoft Word Zero-day Discovered

On May 27th, Nao_sec came across a peculiar Word document, uploaded to VirusTotal from an IP address located in Belarus.

The researcher discovered the document uses a Word remote template feature to retrieve an HTML file from a remote server. This is where the MSDT comes into play utilizing the ms-msdt MSProtocol URI scheme which loads code and executes the PowerShell commands. Nao_sec tweeted this discovery along with the screenshot below of the obfuscated code:

CVE-2022-30190 aka Follina obfuscated code

Security Researcher, Kevin Beaumont was able to deobfuscate the code which he discovered to be a command-line string that Microsoft Word executes using their MSDT tool, even if macro scripts are disabled in Word.

Deobfuscated CVE-2022-30190 payload
Deobfuscated payload, source: Kevin Beaumont

The PowerShell script above extracts a Base64 encoded file from a RAR archive file to the Windows public TEMP directory and executes it. The extracted file is no longer available, so it’s not clear what the purpose of this attack was.

Beaumont states that this code will run despite macros being disabled in Word. Protected view will kick in, but if you change the document to RTF form, it has the ability to run via the preview tab in Windows explorer without even opening the document which is concerning.

Zero-day (or Zero-click) reproduced in Microsoft Office 2021

Many security researchers have analyzed the file and new attack vector successfully reproducing the exploit with multiple versions of Office including 2013, 2016, Office Pro Plus, 2019, and a patched version of Microsoft Office 2021.

CVE-2022-30190 being confirmed in Microsoft Office 2019 Zero-day

Below is a YouTube video containing researcher Didier Stevens reproducing the zero-day.

In another analysis, researchers over at the security company Huntress analyzed the exploit providing more technical details on the inner workings.

They discovered that the remote HTML document that was accessed by the exploit originated from a domain “xmlformats[.]com,” which is no longer accessible.

The researchers also verified Beaumont’s findings that an RTF document has the ability to deliver the payload without opening the file from the user’s end (just by selecting the file). This is commonly known as a Zero-click exploit.

Follina Zero-Click Exploit
Follina Zero-Click Exploit executed with RTF document, source: Huntress

Depending on the payload distributed by the exploit, attackers can utilize this exploit to reach remote locations on the victim’s network.

This use can allow the attacker to collect password hashes from the infected’s Windows machine that can be used for further malicious activity.

Windows password hashes pulled using the Follina Zero-click exploit
Password hashes pulled using the exploit

Detection is Challenging

Due to the malicious code being loaded from the remote template, the Word document acting as a Trojan horse has no actual malicious code within it. This is an issue because it will make the jobs of antivirus companies harder to detect the threat allowing the malicious word document to fly under the radar longer.

Huntress states that the only way to detect this attack vector is to monitor processes on the system because the Follina payload creates a child process named “msdt.exe” under the Microsoft Office parent process.

“Additionally, the sdiagnhost.exe process will be spawned with a conhost.exe child and its subsequent payload processes” – Huntress

For businesses relying on Microsoft Defender’s Attack Surface Reduction (ASR) rules, Huntress advises enabling the “Block all Office applications from creating child processes”, which prevents the Follina exploit.

Another mitigation technique recommended by Stevens would be to remove the file type association for ms-msdt so that Office wouldn’t be able to call Microsoft’s Diagnostic Tool when opening the malicious document.

Originally Reported to Microsoft in April

Researches state that the Follina was originally discovered and reported to Microsoft in April.

According to members of the infosec group Shadow Chasers – a team of college students who love hunting and analyzing advanced persistent threats (APT). They had reported the vulnerability to Microsoft, but was dismissed as “not a security related issue.”

Microsoft’s reply to the vulnerability submission

Then, on April 12 of this year, Microsoft marked the vulnerability as fixed (tracked as VULN-065524) and classified it as “This issue has been fixed.”

 

Update 06/1/2022 – A Python script has been released by JohnHammond on Github allowing the public to test this new attack vector. You can now generate a malicious Microsoft Word document with the Follina exploit simply by running a Python script.

Video of the script in action:

Source: Kevin Beaumont
Tags: powershellzero dayZero-click
Share33Tweet20
Kyle

Kyle

Co-owner, writer, and editor at ZeroSecurity. Security, Blockchain, and SEO enthusiast. "Formal education will make you a living; self-education will make you a fortune."

Recommended For You

Google reports a rise in ransomware attacks

by Paul Anderson
July 15, 2022
0
Google reports a rise in ransomware attacks

In the 3rd issue of the recently released, Threat Horizons, Google's Cybersecurity Action Team (GCAT) provides organizations with information about emerging risks and actionable mitigation. Bad actors have...

Read more

Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

by Christi Rogalski
July 11, 2022
0
Cross-Site Scripting (XSS) attack method steals your browser’s auto-fill credentials

Cross-site scripting, also known as XSS, attacks rank high on lists of common cybersecurity risks. It is the injection of malicious code into the web application to exploit...

Read more

Citrix exploit CWE-284 allows hackers to reset admin password

by Christi Rogalski
July 8, 2022
0
Citrix CWE-284 CVE-2022-27511 exploit

A critical bug has been identified in the Citrix Application Delivery Management console (ADM) that, if exploited, could lead to a serious security breach including allowing the attackers...

Read more

Follina Exploit Being Deployed by Chinese APT Group TA413

by Kyle
June 3, 2022
0
Chinese APT TA413

A Chinese state-sponsored hacking group, given the call sign "TA413", has been identified using the new Microsoft Office zero-day exploit, Follina, to launch attacks. Microsoft has tagged this...

Read more

Flash Zero-day exploited in the wild – CVE-2016-4171

by Kyle
June 15, 2016
0
CVE-2016-4171 flash zero-day

Another Adobe Flash Player zero-day has been found being exploited in “limited, targeted attacks”. Adobe has stated it will be patched later this week. The vulnerability, CVE-2016-4171 (CVE)...

Read more
Next Post
Chinese APT TA413

Follina Exploit Being Deployed by Chinese APT Group TA413

Related News

BlueSky Ransomware backdoors KMSAuto activator

BlueSky Ransomware Infects KMSAuto Activator users

July 20, 2022 - Updated on July 22, 2022
BlackCat Ransomware aka “ALPHV” infections on the rise

BlackCat Ransomware aka “ALPHV” infections on the rise

June 16, 2022 - Updated on July 20, 2022
GIFs in messaging apps are tracking you

GIFs in messaging apps are tracking you

July 19, 2022
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.