Windows MSDT Zero-day Vulnerability ‘DogWalk’ Detected by V3

On June 8th, a new Windows Zero-day vulnerability named DogWalk was revealed by Hacker News (thehackernews.com). Similar to that of Follina vulnerability that targeted MS Office document files, this is a vulnerability that occurs from MSDT (Microsoft Support Diagnostic Tool), and it has a risk of copying malware in Windows Startup folder upon running the compressed “.diagcab” extension file. Although PC has to be restarted for the malicious file to operate, users are exposed to attacks since no patch has been announced by MS yet.

As shown below, these vulnerability attacks can be detected using V3’s behavior detection. After downloading “.diagcab” file from web browser or outlook and executing it, V3 detects and deletes msdt.exe processes that copy the executable file to the Windows Startup folder.

  • Startup path: C:\Users\UserAccount\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

The figure below shows how V3 detection detects the vulnerability when the vulnerability is exploited.

[Figure 1] Detection of DogWalk vulnerability attack (1/2)

Below are the details on blocking msdt.exe behavior.

[Figure 2] Blocking msdt.exe processes (2/2)

Comparison of V3 installed / uninstalled environment (video)

[V3 Behavior Detection]
– InitialAccess/MDP.Event.M4331 (V3: 2022.06.15.00)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, , ,

5 2 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments