Researchers have discovered a new Microsoft Office zero-day vulnerability that is being used to carry out attacks in the wild. The zero-day has been dubbed Follina.
The attacks have been found to execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT) packed into a simple Word Document.
The vulnerability was assigned a CVE or tracking number today, CVE-2022-30190. Due to the vulnerability being so new, the infosec community has also been to referring to it as “Follina” before the CVE number had been assigned.
This zero-day allows attackers to access a new critical attack vector by leveraging Microsoft Office programs, which a majority of Windows PCs have installed. It also has the ability to work without admin privileges, bypass Windows Defender detection, and does not require any macro code to be enabled to execute a script or executable file.
Microsoft Word Zero-day Discovered
On May 27th, Nao_sec came across a peculiar Word document, uploaded to VirusTotal from an IP address located in Belarus.
The researcher discovered the document uses a Word remote template feature to retrieve an HTML file from a remote server. This is where the MSDT comes into play utilizing the ms-msdt MSProtocol URI scheme which loads code and executes the PowerShell commands. Nao_sec tweeted this discovery along with the screenshot below of the obfuscated code:
Security Researcher, Kevin Beaumont was able to deobfuscate the code which he discovered to be a command-line string that Microsoft Word executes using their MSDT tool, even if macro scripts are disabled in Word.
The PowerShell script above extracts a Base64 encoded file from a RAR archive file to the Windows public TEMP directory and executes it. The extracted file is no longer available, so it’s not clear what the purpose of this attack was.
Beaumont states that this code will run despite macros being disabled in Word. Protected view will kick in, but if you change the document to RTF form, it has the ability to run via the preview tab in Windows explorer without even opening the document which is concerning.
Zero-day (or Zero-click) reproduced in Microsoft Office 2021
Many security researchers have analyzed the file and new attack vector successfully reproducing the exploit with multiple versions of Office including 2013, 2016, Office Pro Plus, 2019, and a patched version of Microsoft Office 2021.
Below is a YouTube video containing researcher Didier Stevens reproducing the zero-day.
In another analysis, researchers over at the security company Huntress analyzed the exploit providing more technical details on the inner workings.
They discovered that the remote HTML document that was accessed by the exploit originated from a domain “xmlformats[.]com,” which is no longer accessible.
The researchers also verified Beaumont’s findings that an RTF document has the ability to deliver the payload without opening the file from the user’s end (just by selecting the file). This is commonly known as a Zero-click exploit.
Depending on the payload distributed by the exploit, attackers can utilize this exploit to reach remote locations on the victim’s network.
This use can allow the attacker to collect password hashes from the infected’s Windows machine that can be used for further malicious activity.
Detection is Challenging
Due to the malicious code being loaded from the remote template, the Word document acting as a Trojan horse has no actual malicious code within it. This is an issue because it will make the jobs of antivirus companies harder to detect the threat allowing the malicious word document to fly under the radar longer.
Huntress states that the only way to detect this attack vector is to monitor processes on the system because the Follina payload creates a child process named “msdt.exe” under the Microsoft Office parent process.
“Additionally, the sdiagnhost.exe process will be spawned with a conhost.exe child and its subsequent payload processes” – Huntress
For businesses relying on Microsoft Defender’s Attack Surface Reduction (ASR) rules, Huntress advises enabling the “Block all Office applications from creating child processes”, which prevents the Follina exploit.
Another mitigation technique recommended by Stevens would be to remove the file type association for ms-msdt so that Office wouldn’t be able to call Microsoft’s Diagnostic Tool when opening the malicious document.
Originally Reported to Microsoft in April
Researches state that the Follina was originally discovered and reported to Microsoft in April.
According to members of the infosec group Shadow Chasers – a team of college students who love hunting and analyzing advanced persistent threats (APT). They had reported the vulnerability to Microsoft, but was dismissed as “not a security related issue.”
Then, on April 12 of this year, Microsoft marked the vulnerability as fixed (tracked as VULN-065524) and classified it as “This issue has been fixed.”
Update 06/1/2022 – A Python script has been released by JohnHammond on Github allowing the public to test this new attack vector. You can now generate a malicious Microsoft Word document with the Follina exploit simply by running a Python script.
Video of the script in action: