Microsoft Word Weaponized by Chinese Hackers to Exploit Zero-day Windows Flaw


More than a month after the Follina vulnerability was discovered in Windows and Windows Server, which Microsoft rebuffed as “not a security related issue,” Redmond on Monday publicly acknowledged that the vulnerability in Windows and Windows Server was being exploited by Chinese hackers using malicious Microsoft Word documents. 

Microsoft recently published an advisory concerning a critical vulnerability affecting the Microsoft Support Diagnostic Tool (MSDT), the tool used to troubleshoot issues in Windows OS. The zero-day flaw, dubbed Follina, was discovered in April by Shadow Chaser GroupOpens a new window ‘s crazyman and reportedly exploited by Chinese threat actors.

At the time, Microsoft respondedOpens a new window to crazyman that they “have decided it is not a security issue.” However, things seem to have worsened, considering Follina, tracked as CVE-2022-30190, is being actively exploited in the wild by TA413 CN, an advanced persistent threat (APT) group linked to the Chinese state.

TA413 CN APT spotted ITW exploiting the #FollinaOpens a new window #0DayOpens a new window using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the “Women Empowerments Desk” of the Central Tibetan Administration and use the domain tibet-gov.web[.]app a new window

— Threat Insight (@threatinsight) May 31, 2022Opens a new window

System diagnostics through MSDT requires a passkey from a Microsoft support technician, which is why MSRC initially rebuffed crazyman’s discovery. However, further analysis showed that MSDT was indeed vulnerable and allowed the execution of arbitrary PowerShell code through ms-msdt: URI scheme.

To call this malicious code, threat actors leveraged malicious Microsoft Word documents to retrieve a HTML file from a remote webserver. A sampleOpens a new window of the malicious document or maldoc was uploaded to VirusTotal by @nao_sec on May 27, 2022.

Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code. a new window

— nao_sec (@nao_sec) May 27, 2022Opens a new window

“That should not be possible,” writesOpens a new window security researcher Kevin Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer), let alone Protected View.”

Follina is thus a zero-day remote code execution vulnerability with privileges of the calling application. A successful exploit can allow an attacker to install programs, view, change, delete data, or create new accounts in the context allowed by the user’s rights.

Follina has a CVSS score of 7.8, qualifying it as a high severity vulnerability. It impacts Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365, Windows 7 onwards and Windows Server 2008 and later versions.

See More: U.S. DoJ Says It Won’t Prosecute Ethical Hackers Under CFAA

Besides the Women Empowerments Desk themed maldoc tested by Proofpoint, Beaumont collated some other maldoc samples themed as an invitation for an interview with Sputnik RadioOpens a new window and allegations of sexual misconductOpens a new window to entrap targets.

Follina maldoc Sample | Source: Kevin Beaumont

How to Mitigate Follina Attacks

With a patch yet to come for Follina, Huntress Labs notedOpens a new window , “The mitigations that are available are messy workarounds that the industry hasn’t had time to study the impact of. They involve changing settings in the Windows Registry, which is serious business because an incorrect Registry entry could brick your machine.”

However, the Follina vulnerability allows exploitation even through the hover-preview of a downloaded file that doesn’t even require opening it. So if testing each Word document is not possible, Microsoft suggested disabling the MSDT URL Protocol by:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTms-msdt filename“
  • Execute the command “reg delete HKEY_CLASSES_ROOTms-msdt /f”.

Users can restore the registry key through the command “reg import filename” run as Administrator in the Command Prompt.

Microsoft and Huntress Labs’ John Hammond also suggested turning on cloud-delivered protection and automatic sample submission. Microsoft Defender for Endpoint can help through “BlockOfficeCreateProcessRule” which blocks Office apps from creating child processes, thereby limiting the attack surface.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!