New MS Office Zero Day Evades Defender

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
'Follina exploit' loads malware from remote servers

Malware writers are exploiting a vulnerability in Microsoft Office that enables them to fetch malicious code without detection in a multi-stage attack, security researchers have found.

The exploit, which researcher Kevin Beaumont named Follina, abuses the remote template feature in Microsoft Word.

 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Thanks for sharing this.

It is blocked by OSArmor (basic protection profile):

win10-20h2v2-x64-2022-05-30-11-30-57.png
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
Blocked if PowerShell works in the Constrained Language Mode. The malware uses the method [System.Convert]::FromBase64String to decode malware, which is not allowed in this mode.
So, Windows built-in protection based on SRP, Applocker, or MDAC can prevent this malware.
 

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
884
However, with the Insider and Current versions of Office I can’t get this to work — which suggests Microsoft have either tried to harden something, or tried to fix this vulnerability without documenting it. This appears to have happened around May 2022. Another entirely possible option is I’m too much of an idiot to exploit it on those versions, and I’ve just messed something up.

The vulnerability still exists in Office 2013 and 2016 for me, other versions may apply.

People should stop using older versions of Office, there is enough free, regularly updated ,safer options exists.
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
The C2 domain is today dead and that's common for a few days old samples, but personal I still find the lease until next year interesting. It was updated yesterday when I got positive results with for example Hybrid, but not in my VM as powershell never kicked in. Yesterday when I first saw the sample it had a VT score of 3/60. The thing that should make people a bit more vigilant is that now reports on even older samples pops in. The other sample in the wild is from 12th April.

There is some possible workarounds presented in the report from Kevin Beaumont that might be worth testing for general protection. Yes using too old or not updated versions of Office is always a risk. The problem here in this case is that the researchers still is able to present bypasses even with new versions and the attackers is not waiting.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
This malware is an example of abusing the "remote template" feature. It can be mitigated by blocking the outbound connections of MS Office applications. Such connections can be probably useful in Enterprises, but they are not necessary at home. This mitigation via firewall rules can be useful for older MS Office versions that were not patched yet.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
I wonder if the free options are truly "safe".

Updated? Yes. But safe? :unsure:

(I'm referring to Onlyoffice, WPS office, freeoffice, softmaker, etc)
There is no truly safe application on Windows. Anyway, the attack surface of the free options (alternatives) is much smaller and they are not so popular. So, the chance of infection is minimal. Installing MS Office at home should be avoided, as much as possible. If one must install MS Office, then additional security and caution are very recommendable.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488

Timeline​

April 12th 2022 — first report to Microsoft MSRC, by leader of Shadowchasing1, an APT hunting group. This document is an in the wild, real world exploit targeting Russia, themed as a Russian job interview.

April 21st 2022 — Microsoft MSRC closed the ticket saying not a security related issue (for the record, msdt executing with macros disabled is an issue):

May ?? 2022 — Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere. The other products remain vulnerable.

May 27th 2022 — Security vendor Nao tweet a document uploaded from Belarus, which is also an in the wild attack.

May 27th 2022 — reported back to MSRC.

May 29th 2022 — I identified this was a zero day publicly as it still works against Office 365 Semi Annual channel, and ‘on prem’ Office versions and EDR products are failing to detect.


Yesterday, Microsoft publicly confirmed (finally) that this is a security vulnerability. Here are the details about CVE:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
Unfortunately, there are several (possibly) vulnerable MS Office handlers:
ms-word://, ms-powerpoint://, ms-excel://, ms-visio://, ms-access://, ms-project://, ms-publisher://, ms-spd://, ms-infopath://

Except for ms-msdt protocol there are other possibilities, like ms-officecmd, etc.:

The MS Office URI schemes can be easily abused. Here is a warning for ms-word (similar warnings are valid for ms-excel, ms-powerpoint, etc.):

A-7. Security Considerations​

On systems that have registered handlers to recognize and act on ms-word URIs, clicking on a link to an ms-word URI will cause the registered word processing application to be launched, with instructions to the word processing application to attempt to open a document at the specified URI. Word processing applications registering to process ms-word URIs should implement protections to guard against opening documents from untrusted remote systems that may include malicious code.


So, if MS Office is installed, one has to guard against opening documents from untrusted remote systems that may include malicious code. In some cases, the malicious document can be downloaded & opened automatically even if the user does not open any document in MS Office. This can happen when using File Explorer with the enabled preview feature and the non-malicious RTF document (containing phishing link) is selected - the non-malicious document is automatically updated to include & execute malicious code from the remote website.
Such attacks are poorly detected by AVs.

Edit.
Defender with enabled ASR rules (“Block all Office applications from creating child processes”) can block this attack.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
A joke about MS Office.

You want to buy a good coffeemaker. The salesman in the shop proposes the MS Coffeemaker because it is connected to the Internet and commonly used in businesses, schools, or institutions. Furthermore, it can make 1000 different kinds of coffee, open the doors, take photos, run moonshine, make drugs, and sing lullabies.
Yes, it is great, but you probably need it to make 10 kinds of coffee and sing lullabies - other functions can be dangerous. :)
 
Last edited:

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
As far as I understand it (and I can be totally wrong here) you don't need any office at all to get infected. Just move your cursor over an bad .rtf within windows explorer.
I found the english article in a german website so I link both as a source.

Quote from the huntress source: Note, a Rich Text Format file (.rtf) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer. Much like CVE-2021-40444, this extends the severity of this threat by not just “single-click” to exploit, but potentially with a “zero-click” trigger.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,488
As far as I understand it you don't need any office at all to get infected. Just move your cursor over an bad .rtf within windows explorer.
I found the english article in a german website so I link both as a source.

Quote from the huntress source: Note, a Rich Text Format file (.rtf) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer. Much like CVE-2021-40444, this extends the severity of this threat by not just “single-click” to exploit, but potentially with a “zero-click” trigger.

The full exploit requires a "remote template" feature to update the document and execute the malicious code. Normally the preview in File Explorer does not support it, except when MS Office is installed. If another application uses a "remote template" feature in a similar way, then it can be probably exploited, too.

The exploit extends the severity of the thread, like in Threat Advisory: Hackers Are Exploiting CVE-2021-40444, but it is not as dangerous. The CVE-2021-40444 exploited the MSHTML engine that was already a part of Windows.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top