State-backed hackers exploiting new Microsoft Office zero-day bug

Microsoft Follina bug exploited to target entities in Europe and US

The threat actors can use the bug due to the fact that it is not flagged as malicious

Threat actors possibly linked to the state-aligned hackers have been releasing attacks exploiting particular Microsoft Office Follina vulnerability. These campaigns are aimed to target government entities in Europe and the United States.^[1] Security researchers revealed the zero-day flaw that is used to execute malicious PowerShell commands via Microsoft Diagnostic Tool in attacks.^[2] The success is achieved by simply opening the Word document.

The flaw was named Follina and tracked as CVE-2022-30190. It can be leveraged using malicious Word documents that trigger these malicious PowerShell commands. It opens doors to a new critical attack vector leveraging Microsoft Office programs because it works without elevated privileges, can bypass Windows Defender detections, and does not need macro code to be enabled to trigger scrips or execute binary code.^[3]

The remote code execution flaw has a CVSS score of 7.8, and research revealed that at least 1000 phishing messages with the lure for the malicious document have been sent to various targets. The invention payload was downloaded a handful of times from the same IP address, as researchers^[4] report:

This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload

Accidental discovery on VirusTotal

The vulnerability was discovered when security researchers found a malicious Word document submitted to the Virus Total platform. Another vulnerability exploit was hunted at that point, but the sample provided revealed another indicated the file that abuses the ms-msdt scheme to execute the PowerShell.

The payload is manifested in the form of the PowerShell script. The base640encoded script functions as the downloader for a second PowerShell script from the remote server named seller-notification.live. This script can check for virtual machines, and steal details from the local browser, mail clients, and file servers.

Researchers report that malicious Word document uses the remote template feature, so the HTML file can be obtained from the remote server too. That code then uses the ms-msdt URI protocol and loads other codes. The particular Protected View feature in Microsoft Office is designed to send alerts about files from potentially unsafe locations. It does send these alerts, but the warning can be bypassed by altering the document to a Rich Text Format file, however. This way, obfuscated code runs without the need to open the document.

Active exploitation attempts

Phishing campaigns have already been reported before to link with the hacker group that is state-backed. Threat actors particularly release targeted campaigns and use the PowerShell payload wide-ranging with the reconnaissance capabilities. The attempts to exploit the flaw have been recorded.^[5] China-based threat actor group delivered ZIP archives with the malware-lased Word documents.

It is difficult to detect such a new exploitation method, so malicious code loaded from a remote template cannot be flagged as a threat since there are no malicious codes in the Word document. To detect this attack vector, researchers talk about monitoring processes on the system since the Follina payload creates the child process of msdt.exe under the offending Microsoft Office parent.

Additionally, the sdiagnhost.exe process will be spawned with a conhost.exe child and its subsequent payload processes

This vulnerability exists in Office 2013, 2016, Office Pro Plus from April, patched version of the Office 2021. Follina vulnerability remains unpatched, so Microsoft offers to disable the protocol to prevent the possible bug exploitation.