“Follina” – Critical Zero-Day Exploit for Microsoft Products

Background

Over the past holiday weekend, a tweet from Tokyo-based security researcher “nao_sec” first identified an interesting upload to antivirus platform VirusTotal[1]. The Microsoft Word (.docx) file, uploaded from an IP address originating in Belarus, was found to contain a novel mechanism for obtaining PowerShell command execution through Office documents via the Microsoft Support Diagnostic Tool (MS-MSDT) troubleshooting feature. This original malware sample is currently being analyzed by members of the cybersecurity community, including Kevin Beaumont, who posted his analysis on Sunday, May 29^th and named the sample “Follina”[2].

This command execution vector is undoubtedly one of the most powerful phishing techniques to have surfaced in recent years. Compromise is obtained upon users opening infected Office attachments (modern .docx, .pptx, .xlsx as well as legacy .doc, .xls, and .ppt filetypes) and opting to edit the document by clicking through the “Protected View” warning prompt at the top of the window. Unlike macro-based malware phishing attacks, no clicking through “enable macros” warnings is necessary: in fact, this attack would succeed even in environments where macros have been entirely disabled across an organization's Microsoft Office software suite.

Alarmingly, Follina-infected Office files converted to rich text format (.rtf) have also been found to execute PowerShell code upon being previewed within the Windows Explorer’s “preview” pane, or upon being opened in “Protected View”, representing a compromise vector where no user interaction beyond download is necessary. A user who receives an RTF Word document containing “Follina”-style malware will be compromised by simply clicking the document in their Outlook inbox.

This novel technique comes just as Microsoft moves to disable Office macros from the internet, providing office-based malware a second wind[3].

The Technical Details

The malware’s step-by-step exploit chain is as follows[4]:

1. An external reference to an attacker-controlled IP address is included in the schema of the infected Word document. These external references would have the following format:

2. At “<attacker-domain>.com/malicious-html.html” is a malicious HTML document. This document will contain a malicious “window.location.href” tag featuring a crafted “ms-msdt” troubleshooting string containing a base64-encoded payload as follows:
   

(Credit: Xavier Mertens [“xme”] via SANs)

3. The base64-encoded payload will contain obfuscated PowerShell commands similar to the following:

 (Credit: Xavier Mertens [“xme”] via SANs)

Upon the original document being loaded, either with Protected View being disabled for Office documents or within Protected View (or within a document preview) for .rtf files, the PowerShell will execute to download and execute malware.

The above represents a powerful mechanism by which attackers could deploy remote access Trojan (RAT) malware to victim workstations.

Impact

Phishing emails leveraging the above powerful command execution vector will be flooding corporate email inboxes in the coming days. Undoubtedly, today’s most prolific ransomware gangs have already added this technique to their toolboxes.

On May 30^th, 2022, Microsoft released an advisory pertaining to CVE-2022-30190[5] and an accompanying guidance bulletin (“Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability”[6]). The bulletin provides an interim workaround to mitigate the vulnerability by deleting specific registry keys. Until a patch to remove the MS-MSDT code execution behaviour is released, phishing attacks leveraging the MS-MSDT execution technique will be extremely effective against organizations which have not applied this workaround.

Recommendations

Control Gap recommends that organizations take immediate action to mitigate this attack prior to Microsoft releasing formal guidance. Mitigations proposed by our team and by the security community at large include the following:

1. Block .rtf file attachments on corporate email and on file upload portals. Rich text format documents have a fringe use case at best in today’s Microsoft Office ecosystem. The risk posed by the MS-MSDT / “Follina” attack vector is immediate and significant and would easily justify a blanket ban on this legacy filetype.

2. Delete the “ms-msdt” registry key environment-wide at least until Microsoft mitigates the issue[7]. This registry key can be found at registry endpoint “Computer\HKEY_CLASSES_ROOT\ms-msdt” and can be deleted in its entirety. As of May 30^th, users implementing this change have found no impact to their corporate IT environments. We still recommend that caution be exercised when implementing changes to registry hives environment-wide: changes should be tested prior to being pushed to production environments. To be safe, we would recommend only pushing this registry deletion to user workstations: this would mitigate the attack vector in the vast majority of cases, unless system administrators are using servers to browse their email (which may be a problem in its own right).

3. Await further guidance from Microsoft. Microsoft will undoubtedly be releasing further security guidance on this issue in the coming days. Whether that guidance will include patches for Microsoft Office products or operating systems, more robust system hardening recommendations, or otherwise, is unclear. Organizations should monitor Microsoft bulletins for further information and next steps.

As always, organizations can trust Control Gap to provide comprehensive guidance on navigating this and other emerging threats.