Another nation-state actor exploits Microsoft Follina to attack European and US entities

A nation-state actor is attempting to exploit the Follina flaw in a recent wave of attacks against government entities in Europe and the U.S.

An alleged nation-state actor is attempting to exploit the recently disclosed Microsoft Office Follina vulnerability in attacks aimed at government entities in Europe and the U.S.

On May 31, Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as CVE-2022-30190 (CVSS score 7.8), in the Microsoft Office productivity suite.

“On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.” reads the advisory published by Microsoft. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

The popular cybersecurity expert Kevin Beaumont, who named the bug Follina, published an analysis of the flaw.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”

The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.

Last week, the cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.

Researchers from Proofpoint reported that China-linked TA413 APT group is conducting a spear-phishing campaign that uses ZIP archives containing weaponized Word Documents.

The attackers impersonate the “Women Empowerments Desk” of the Central Tibetan Administration and use the domain tibet-gov.web[.]app for the attacks.

Proofpoint announced via Tweet to have blocked a phishing campaign launched by an alleged nation-state actor, the attacks targeted less than 10 Proofpoint customers (European gov & local US gov) with exploits for the Follina vulnerability.

These phishing messages masqueraded as a salary increase and utilized an RTF with the exploit payload.

The payload is a PowerShell script that is Base64-encoded and acts as a downloader to retrieve a second stage PowerShell script from a remote server named “seller-notification[.]live.”

The script performs some checks to avoid running in a virtualized environment, it is able to steal information from local browsers, mail clients and file services, it is also able to perform reconnaissance.

Gathered data are exfiltrated in the form of zip archives to the address 45.77.156[.]179.

The attribution to a nation-state actor is based on both the extensive recon of the Powershell and tight concentration of targeting.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Follina)

[adrotate banner=”5″]

[adrotate banner=”13″]