In a recent blog post by Microsoft, a new Zero-Day vulnerability (CVE-2022-30190) was discussed. This vulnerability affects Microsoft Support Diagnostic Tool (MSDT), and the blog post provides some guidance on mitigating the impact of this vulnerability.
The post mentions that a Remote Code Execution (RCE) vulnerability present in MSDT allows the attackers to execute arbitrary code by exploiting it. MSDT is a diagnostic tool that collects information and sends it to Microsoft for analysis when users encounter certain issues. Microsoft uses this information to find solutions for the problems encountered by users.
Prior to the publication of the Microsoft blog, a security researcher, nao_sec, found an interesting malicious document that uses a Microsoft Word external link to load an HTML file hosted on a remote server. The HTML file further uses the “ms-msdt” scheme to execute malicious PowerShell code. Figure 1 shows nao_sec’s Twitter post.
After this tweet, security researchers investigated and reproduced the exploit using different versions of Microsoft Office. The POC is also now available on GitHub to test the exploit, as shown in the figure below.
Cyble Research Labs was able to test the above POC and exploit the MSDT vulnerability, as shown below.
Security Researcher Kevin Beaumont mentioned that the vulnerability was first exploited in the wild over a month ago. The “invitation for an interview ” file was spotted targeting a Russian user in the wild.
Kevin named this vulnerability “Follina” because the file name contains the string “0438”, which is the telephone code for the Italian municipality of Follina.
Technical Analysis
Cyble Research Labs analyzed the sample identified by nao_sec (sha256: a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567a ec096784).
The maldoc contains a file “document.xml.rels,” which is responsible for loading the “RDF8421.html” file hosted in the remote server “hxxp.xmlformats.com.”
The HTML file further executes a PowerShell command using ms-msdt schema, as shown below.
Upon execution, the PowerShell command further decodes the base64 encoded content and performs other malicious activities.
The PowerShell content performs the following tasks:
- Runs with a hidden window
- Terminates msdt.exe in case it is running
- Moves the “05-2022-0438.rar” file to C:Userspublic and renames it as “1.rar”
- Checks the base64-encoded CAB file (MSCF header) inside the “1.rar” file and saves it as “1.t”
- Decodes the CAB file “1.t” and saves it as “1.c”
- Expands “1.c” and executes the file “rgb.exe”
The file “05-2022-0438.rar” was not available for analysis; the functionality of rgb.exe. is not fully clear at the moment.
The interesting part is that the malware leverages the ms-msdt schema to execute malicious code. The following process chain was observed after execution.
It’s a good idea to check the above chain to identify the exploitation. The tracking of the msdt.exe process launched by any process like winword.exe or excel.exe indicates the exploitation of MSDT vulnerability.
Workarounds:
Microsoft also advised users to perform the following workarounds:
Disabling the MSDT URL Protocol:
Users are advised to disable the vulnerable MSDT URL protocol, which will, in turn, prevent troubleshooters from being launched as links. Microsoft has advised that users delete the registry key after taking a backup.
The figure below shows the MSDT registry key.
disabling MSDT:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTms-msdt filename.”
- Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f.”
How to undo the workaround:
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg import filename.”
Conclusion
Threat Attackers are constantly looking for new techniques to target individuals and organizations. In this case, they are leveraging the vulnerability in MSDT to execute malicious code.
Cyble will closely monitor the MSDT vulnerability and continue to update our readers with the latest information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety measures needed to prevent malicious attacks:
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
Users should take the following steps after the malicious attack:
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impacts and cruciality Of Malware Attacks:
- Loss of Valuable data.
- Loss of organization’s reliability or integrity.
- Loss of organization’s business information.
- Disruption in organization operation.
- Economic loss
Indicators of Compromise (IOCs)
Indicators | Indicator Type | Description |
52945af1def85b171870b31fa4782e5 | MD5 | Docx Exploit |
06727ffda60359236a8029e0b3e8a0fd11c23313 | SHA-1 | Docx Exploit |
4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784 | SHA-256 | Docx Exploit |
f531a7c270d43656e34d578c8e71bc39 | MD5 | Docx Exploit |
934561173aba69ff4f7b118181f6c8f467b0695d | SHA-1 | Docx Exploit |
710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa | SHA-256 | Docx Exploit |
hxxp://www.xmlformats[.]com | URL | C&C URL |
141[.]105.65.149 | IP | C&C IP |
Related
Source: https://blog.cyble.com/2022/05/31/new-zero-day-exploit-spotted-in-the-wild/