This dangerous Microsoft Office zero-day is now being exploited in the wild

Image depicting a hand on a scanner
(Image credit: Pixabay)

The Microsoft Office "Follina" zero-day vulnerability may have its first official adopters, and first victims, experts have revealed. 

Cybersecurity researchers from Proofpoint have discovered that a Chinese state-sponsored threat actor known as TA413 has been targeting the international Tibetan community using the flaw.

"TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique," Proofpoint noted.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Installing infostealers

"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app."

Uncovered earlier in May 2022, Follina leverages a Windows utility called msdt.exe, designed to run different troubleshooter packs on Windows. To run it, the attackers would send out a weaponized .docx file, capable of having MSDT run code even when in preview mode.

By abusing this utility, the attackers are able to tell the target endpoint to call an HTML file, from a remote URL. The attackers have chosen the xmlformats[.]com domain, probably trying to hide behind the similar-looking, albeit legitimate, domain used in most Word documents, the researchers are suggesting.

MalwareHunterTeam also found .docx files with Chinese filenames installing infostealers via http://coolrat[.]xyz. The HTML file holds plenty of “junk”, which obfuscates its true purpose - a script that downloads and executes a payload. The flaw, tracked as CVE-2022-30190, impacts all Windows client and server platforms still receiving security updates.

Following the publication of the findings, Microsoft has acknowledged the threat, saying a remote code execution vulnerability exists “when MSDT is called using the URL protocol from a calling application such as Word.” 

“An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

While some antivirus software are already capable of spotting this attack, Micorosft has also released a mitigation method, which includes disabling the MSDT URL protocol. This will prevent troubleshooters from being launched as links, but they can still be accessed using the Get Help application, and in system settings. To activate this workaround, admins need to do the following:

Run Command Prompt as Administrator.

To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“

Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.