The Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers of emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for protecting against them.
The Cybereason team is investigating a Microsoft Office code execution vulnerability that was first observed in the wild, uploaded from an IP address in Belarus.
After investigating, the observed sample delivered malware without the necessity for the victim to allow macro execution. This vulnerability, dubbed Follina, is very likely to be mass-exploited.
Microsoft has identified this vulnerability as CVE-2022-30190 and released appropriate guidance.
- Follina leverages the Microsoft Word remote template feature to download an HTML file, which then uses the “ms-msdt” URL scheme to execute PowerShell.
- The vulnerability affects Microsoft Office/Office Pro Plus 2013, 2016 and 2019 versions.
- The observed sample from which the vulnerability was made public included attempts to create misdetections in security detection tools.
- Cybereason did not observe this vulnerability being exploited, except attempts to test the samples. However, the vulnerability is publicly known to be exploited since mid-April 2022.
- The Cybereason Defense Platform detects and prevents the exploitation of Follina and enables effective hunting of this vulnerability.
This section describes the different processes that we observed, involved in the Follina vulnerability exploitation. The following diagram represents the overall malicious activity seen in a Follina exploitation chain:
Follina vulnerability exploitation chain diagram
Follina is exploited through the execution of a customized Microsoft Word file:
Victim is required to enable “edit mode” but the macro execution authorization is not required
Follina leverages the Microsoft Word remote template feature to download an HTML file, which then uses the “ms-msdt” URL scheme to execute PowerShell. The winword.exe process will thus generate network connections.
The following C2 domains were observed, used as an external reference (in document.xml.rels for OpenXML files) in known malicious samples :
- tibet-gov.web[.]app (observed by Proofpoint)
As a result of the HTML file downloading and parsing, winword.exe spawns a msdt.exe child process that contains the malicious payload:
“C:\\WINDOWS\\system32\\msdt.exe" ms-msdt:/id PCWDiagnostic /skip force /param ""IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$([Powershell Code])\'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO"
In the command line, we can observe that the malicious PowerShell code starts after the “IT_BrowseForFile” primitive. It is important to note that the exploitation might not be limited to winword.exe but can also affect other Microsoft Office products like Outlook, Excel, etc.:
Process tree from the vulnerability exploitation as seen in the Cybereason Defense Platform
As a result of the creation of the msdt.exe process, the sdiagnhost.exe process is created within less than a second, with svchost.exe as a parent process. The sdiagnhost.exe process executes the PowerShell code and any process creation from PowerShell will have sdiagnhost.exe as the parent process:
Process tree showing the sdiagnhost.exe process creation as seen in the Cybereason Defense Platform
The vulnerability has already been reproduced and can be leveraged to execute actions on the vulnerable machines.
Finally, the attack surface of MS Protocol, in Office, is wider than the “ms-msdt” protocol and can be extended to leverage new attacks in the future. Thus, the Cybereason team advises to focus on the detection of malicious processes spawning as children from Microsoft Office-related processes.
The Cybereason XDR Platform detects and prevents the Follina vulnerability in Microsoft products. Cybereason recommends the following:
- Detect and block outgoing connections (outside of the organization) to the identified C2 domains related to the vulnerability exploitation.
- Block the attack by disabling the “ms-msdt” URL protocol :
- Run Command Prompt as Administrator.
- To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
- Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
- A script to automate the above recommendation has been created and is available at this address:
- Disable “Troubleshooting wizards” through the creation of a GPO or directly through the local Group Policy console
- Apply the latest patch from Microsoft as soon as Microsoft provides official instructions.
- Threat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting queries for detecting specific threats - to find out more about threat hunting and Managed Detection and Response with the Cybereason Defense Platform, contact a Cybereason Defender here.
- For Cybereason customers: More details available on the NEST including custom threat hunting queries for detecting this threat:
The Cybereason Defense Platform detects the Follina specifically crafted files
The Cybereason Defense Platform detects the Follina exploitation through the creation of a custom rule
About the Researcher:
Loïc Castel, Principal Security Analyst, Cybereason Global SOC
Loïc Castel is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research.