Threat Research

New Zero-day Exploit Spotted In The Wild – Cyble

Securonix

Microsoft disclosed a new zero-day vulnerability in MSDT (CVE-2022-30190) that enables remote code execution. The exploit chain uses a malicious Word document to load a remote HTML file that runs PowerShell via the ms-msdt schema, with workarounds and indicators outlined for defense. #Follina #CVE2022-30190

Keypoints

  • The MSDT vulnerability CVE-2022-30190 enables remote code execution via the ms-msdt interface.
  • A malicious Word document uses an external link to fetch an HTML payload hosted on a remote server to trigger the exploit.
  • The HTML payload uses ms-msdt to execute a PowerShell command that decodes and runs additional payloads.
  • Cyble Research Labs verified exploitation in the wild and documented the process chain and artifacts.
  • The vulnerability was observed targeting users abroad, with examples connected to a Russian user in the wild and the vulnerability being named “Follina” by researchers.
  • Microsoft provides workarounds, including disabling the MSDT URL protocol and registry-based remedies, plus steps to undo them.
  • A set of IOCs (hashes, URL, and IP) accompanies the report to help defenders detect the activity.

MITRE Techniques

  • [T1218.005] Signed Binary Proxy Execution: Msdt – The HTML file uses the ms-msdt schema to execute malicious PowerShell code. Quote: “The HTML file further executes a PowerShell command using ms-msdt schema.”
  • [T1059.001] PowerShell – The PowerShell content decodes the base64-encoded payload and performs other malicious actions. Quote: “Upon execution, the PowerShell command further decodes the base64 encoded content and performs other malicious activities.”
  • [T1105] Ingress Tool Transfer – The MALDOC loads an HTML file hosted on a remote server to stage the attack. Quote: “The maldoc contains a file … responsible for loading the ‘RDF8421.html’ file hosted in the remote server ‘hxxp.xmlformats.com’.”
  • [T1027] Obfuscated/Compressed Files and Information – The payload decodes and expands compressed content (CAB) to finally execute rgb.exe. Quote: “decodes the base64 encoded content and performs other malicious activities.”

Indicators of Compromise

  • [MD5] context – 52945af1def85b171870b31fa4782e5, f531a7c270d43656e34d578c8e71bc39
  • [SHA-1] context – 06727ffda60359236a8029e0b3e8a0fd11c23313, 934561173aba69ff4f7b118181f6c8f467b0695d
  • [SHA-256] context – 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784, 710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa
  • [URL] context – hxxp://www.xmlformats[.]com
  • [IP] context – 141.105.65.149
  • [File Name] context – 05-2022-0438.rar, rgb.exe

Read more: https://blog.cyble.com/2022/05/31/new-zero-day-exploit-spotted-in-the-wild/