New Microsoft Office zero-day used in attacks to run PowerShell


Follina zero-day bug in Microsoft Office delivers payloads virtually undetected

The Follina zero-day bug in Microsoft Office delivers payloads virtually undetected

Security researchers have discovered a new zero-day vulnerability in Microsoft Office, which is used in attacks to execute malicious PowerShell commands through the Microsoft Diagnostic Tool (MSDT) simply by opening a Word document.

The vulnerability, which has not yet received a tracking number and is dubbed “Follina” by the infosec community, is exploited using malicious Word documents that execute PowerShell commands through the MSDT.

This new Follina zero-day opens the door to a new critical attack vector that leverages Microsoft Office programs as it works without elevated privileges, bypasses Windows Defender detection and does not require macro code to run binaries or scripts.

Found Microsoft Office Zero Day by accident

Last Friday, security researchers nao_sec found a malicious Word document delivered to Virus Total scanning platform from an IP address in Belarus.

“I searched VirusTotal for files that exploited CVE-2021-40444. Then I found a file that abuses the ms-msdt scheme,” nao_sec told BleepingComputer in an interview.

“It uses Word’s external link to load the HTML code and then uses the ‘ms-msdt’ scheme to run PowerShell code,” the researcher added in a tweet, posting a screenshot of the obfuscated code below:

Obfuscated code used in attacks to exploit Follina vulnerabilities
Obfuscated payload code, source: nao_sec

security researcher Kevin Beaumont de-obfuscated the code and explained in a blog post that it is a command line string that runs Microsoft Word using MSDT even when macro scripts are disabled.

The above PowerShell script extracts and executes a Base64 encoded file from a RAR file. This file is no longer available, so it is not clear what malicious activity was performed by the attack.

Beaumont clarifies things by saying that the malicious Word document uses the remote template feature to fetch an HTML file from a remote server.

The HTML code then uses Microsoft’s MS-MSDT-URI protocol scheme to load additional code and run PowerShell code.

The researcher adds that the Protected View feature in Microsoft Office, which is designed to warn about files from potentially unsafe locations, will be activated to warn users of the possibility of a malicious document.

However, this warning can be easily circumvented by changing the document to an RTF (Rich Text Format) file. This allows the obfuscated code to run “without even opening the document (via the Preview tab in Explorer)”.

Researchers reproduce zero-day

Several security researchers analyzed the malicious document shared by nao_sec and successfully reproduced the exploit with multiple versions of Microsoft Office.

At the time of writing this article, researchers have confirmed that the vulnerability in Office 2013, 2016, Office Pro Plus from April (on Windows 11 with May updates) and a patched version of Office 2021:

Source: Didier Stevens

In a separate analysis today, researchers from cybersecurity services company Huntress analyzed the exploit and provided more technical details on how it works.

They found that the HTML document that got things going was xmlformats[.]com”, a domain that no longer loads.

Huntress confirmed Beaumont’s finding that an RTF document would deliver the payload with no user interaction (aside from selection), which is commonly known as “zero-click exploitation”.

Follina zero-click exploit in Microsoft Office
Follina payload runs only by selecting the malicious RTF document, source: Huntress

The researchers say that depending on the payload, an attacker could use this exploit to reach remote locations on the victim’s network

This would allow an attacker to collect hashes of passwords from Windows computers, useful for further post-exploitation activities.

The Follina vulnerability in Microsoft Office could be used to steal Windows password hashes
Microsoft Office bug could help collect Windows password hashes, Source: Huntress

Detection might be difficult

Beaumont warns that the detection for this new exploitation method “probably won’t be great,” arguing that the malicious code is loaded from a remote template, so the contained Word document isn’t flagged as a threat because it doesn’t contain malicious content contains code, just a reference to it.

To detect an attack via this vector, Huntress refers to monitoring processes on the system as the Follina payload creates a child process of msdt.exe under the attacking parent Microsoft Office.

“It also spawns the sdiagnhost.exe process with a conhost.exe child and its subsequent payload processes” – Huntress

For organizations that rely on Microsoft Defender’s Attack Surface Reduction (ASR) rules, Huntress recommends enabling “Prevent all Office applications from creating child processes” in block mode, which would prevent Follina exploits.

It is recommended to run the rule in audit mode first and monitor the results before using ASR to ensure end users are not adversely affected.

Another mitigation, from Didier Stevenswould be removing the file type association for ms-msdt so that Microsoft Office cannot invoke the tool when a malicious Folina document is opened.

Reported to Microsoft in April

Security researchers say the Follina vulnerability appears to have been discovered and reported to Microsoft since April.

According to screenshots posted by a member of the Shadowhunters group – A college student association focused on detecting and analyzing Advanced Persistent Threats (APTs), Microsoft was informed of the vulnerability but dismissed it as “not a security related issue”.

Microsoft’s argument was that although msdt.exe ran, it required a passcode to launch and the company was unable to replicate the exploit.

Microsoft classifies the Follina report as not security relevant
Microsoft’s response to the Follina vulnerability report, source: CrazyMan_Army

However, on April 12, Microsoft closed the Vulnerability Submission Report (tracked as VULN-065524) and classified it as “This issue has been fixed” with a security impact on remote code execution.

Microsoft closes Follina remote code execution bug in Microsoft Office
April Report for the Follina Microsoft Office RCE, Source: CrazyMan_Army

BleepingComputer contacted Microsoft for more details about the “Follina” vulnerability, asking why it is not considered a security risk and if they plan to fix it.

We’ll update the article when the company makes a statement.

You May Also Like