Follina abuses Microsoft Office to execute code remotely


A vulnerability called “Follina” could allow attackers to gain full system control of affected systems. Learn more about it and how to protect yourself from it,

Image: Adobe Stock

CVE-2022-30190, also known as “Follina”, is a remote code execution (RCE) vulnerability that affects Microsoft Office, reported on May 27, 2022.

How can the Follina vulnerability be exploited by attackers?

The path is as follows:

  • A Microsoft Office .DOC file created by an attacker is sent to a target.
  • The .DOC file refers to an HTTPS: link leading to an HTML file containing obfuscated JavaScript code.
  • The JavaScript code references another link with an identifier MS-MSDT: instead of the usual HTTPS identifier:.
  • Windows operating systems open the Microsoft Support Diagnostic Tool (MSDT) and run the code in the link provided.
  • Depending on the code running on the targeted system, the attacker can facilitate further compromise or take control of the affected system.

The Follina vulnerability can therefore be easily triggered by sending phishing emails to targets, either containing the malicious .DOC file or a link leading to it.

How dangerous is Follina?

Nikolas Cemerikic, Cybersecurity Engineer, Immersive Labs, says:

“What sets Follina apart is that this exploit does not take advantage of Office macros and therefore works even in environments where macros have been disabled entirely. a user opens and views the Word document, or previews the document using Windows Explorer’s preview pane, since Windows Explorer does not require Word to fully launch, it effectively becomes a attack in 0 clicks.

Cemerikic adds that “this vulnerability is not specifically synonymous with Microsoft Word or Outlook. Although the only recorded cases to date of this vulnerability being exploited in the wild have been exploited through the use of Microsoft Word and Outlook, in theory any desktop product that handles oleObject relationships is vulnerable. As oleObject relationships are not specific to Word, it is likely that in the future we will see this vulnerability exploited in other Office applications as well.

Additionally, according to Huntress, it is possible to trigger the vulnerability without opening the file, by creating a specific .RTF file that would be displayed in the Windows Explorer preview pane. This makes this vulnerability even more dangerous.

SEE: Mobile Device Security Policy (TechRepublic Premium)

Attacks in the wild since March 2022

Sekoia reports several instances of in-the-wild attacks exploiting the Follina vulnerability, with the earliest attacks likely being carried out by Chinese APT threat actors.

Some documents have been found that target Nepalese companies or individuals.

Another document, titled “CSAFP’S_GUIDANCE_RE_NATIONAL_AND_LOCAL_ELECTION_2022_NLE.docx” targets several divisions of the Armed Forces, posing as the Armed Forces of the Philippines (Figure A).

Figure A

Malicious document demonstrating the vulnerability of Follina.
Image: TechRepublic. Malicious file posing as Armed Forces of the Philippines sent to other Armed Forces divisions

Sekoia further reports that they could only retrieve one payload still alive at the time of their search, which downloaded an encoded shellcode that, when decoded, appeared to be a Cobalt Strike beacon. The IP address from which the shellcode was downloaded is known by Sekoia as the PlugX C2 server, PlugX (also known as KorPlug) being a Trojan-type malware used by several Chinese players in the APT threat.

Additionally, Proofpoint reports on Twitter that Chinese threat actor TA413 has been spotted in the wild exploiting the Follina vulnerability, using Zip archive files containing malicious Word documents in an attack campaign. posing as the Central Tibetan Administration’s “Woman Empowerments Desk” (Figure B).

Figure B

Tweet from a Chinese cyberattacker exploiting Follina.
Picture: Twitter. Chinese threat actor TA413 exploits Follina’s vulnerability with a document posing as the Tibetans’ “Women’s Empowerments Desk.”

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

How to detect vulnerability and protect against it?

Exploitation of the vulnerability can be detected when the legitimate msdt.exe binary is run with the argument IT_BrowseForFile containing the sequence of strings $(.

Another detection that can be used is to detect the generation of sdiagnhost.exe with a child conhost.exe and its subsequent payload processes.

Microsoft has released a workaround guide which involves disabling the MSDT URL protocol directly in the registry.

It is also recommended to disable “troubleshooting wizards” in the registry.

Security and antivirus vendors are also actively working to improve Follina vulnerability detection, so it is advisable to stay up to date on all security products and antivirus solutions.

Also, it is not recommended to open or even preview any .DOC/.DOCX file received through an unusual channel: unknown email sender or unknown instant messenger, for example. It is also advised not to open or preview the .RTF documents that would be received.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.


About Author

Comments are closed.