- Content source
- https://apple.news/A3i78-YekSDSnt0xAQ8ioeQ
New MS Office zero day evades Defender — iTnews
'Follina exploit' loads malware from remote servers
apple.news
New MS Office Zero Day Evades Defender
- Thread starter MuzzMelbourne
- Start date
apple.news
Tested yesterday, but got a slight different result so I'll do another run today.
Thanks for sharing this.
It is blocked by OSArmor (basic protection profile):
It is blocked by OSArmor (basic protection profile):
Blocked if PowerShell works in the Constrained Language Mode. The malware uses the method [System.Convert]::FromBase64String to decode malware, which is not allowed in this mode.
So, Windows built-in protection based on SRP, Applocker, or MDAC can prevent this malware.
So, Windows built-in protection based on SRP, Applocker, or MDAC can prevent this malware.
People should stop using older versions of Office, there is enough free, regularly updated ,safer options exists.
The C2 domain is today dead and that's common for a few days old samples, but personal I still find the lease until next year interesting. It was updated yesterday when I got positive results with for example Hybrid, but not in my VM as powershell never kicked in. Yesterday when I first saw the sample it had a VT score of 3/60. The thing that should make people a bit more vigilant is that now reports on even older samples pops in. The other sample in the wild is from 12th April.
There is some possible workarounds presented in the report from Kevin Beaumont that might be worth testing for general protection. Yes using too old or not updated versions of Office is always a risk. The problem here in this case is that the researchers still is able to present bypasses even with new versions and the attackers is not waiting.
There is some possible workarounds presented in the report from Kevin Beaumont that might be worth testing for general protection. Yes using too old or not updated versions of Office is always a risk. The problem here in this case is that the researchers still is able to present bypasses even with new versions and the attackers is not waiting.
This malware is an example of abusing the "remote template" feature. It can be mitigated by blocking the outbound connections of MS Office applications. Such connections can be probably useful in Enterprises, but they are not necessary at home. This mitigation via firewall rules can be useful for older MS Office versions that were not patched yet.
I wonder if the free options are truly "safe".
Updated? Yes. But safe?
(I'm referring to Onlyoffice, WPS office, freeoffice, softmaker, etc)
There is no truly safe application on Windows. Anyway, the attack surface of the free options (alternatives) is much smaller and they are not so popular. So, the chance of infection is minimal. Installing MS Office at home should be avoided, as much as possible. If one must install MS Office, then additional security and caution are very recommendable.I wonder if the free options are truly "safe".
Updated? Yes. But safe?
(I'm referring to Onlyoffice, WPS office, freeoffice, softmaker, etc)
L
Local Host
They right, this malware won't work on a patched system with default settings, "bypasses Defender", it doesn't even reach Defender to be stopped.
Is the usual malware that targets outdated and poorly configured systems, is not Microsoft problem.
Timeline
April 12th 2022 — first report to Microsoft MSRC, by leader of Shadowchasing1, an APT hunting group. This document is an in the wild, real world exploit targeting Russia, themed as a Russian job interview.
April 21st 2022 — Microsoft MSRC closed the ticket saying not a security related issue (for the record, msdt executing with macros disabled is an issue):
May ?? 2022 — Microsoft may have tried to fix this or accidentally fixed it in Office 365 Insider channel, without documenting a CVE or writing it down anywhere. The other products remain vulnerable.
May 27th 2022 — Security vendor Nao tweet a document uploaded from Belarus, which is also an in the wild attack.
May 27th 2022 — reported back to MSRC.
May 29th 2022 — I identified this was a zero day publicly as it still works against Office 365 Semi Annual channel, and ‘on prem’ Office versions and EDR products are failing to detect.
Follina — a Microsoft Office code execution vulnerability
Two days ago, Nao_sec identified an odd looking Word document in the wild, uploaded from an IP address in Belarus:doublepulsar.com
Yesterday, Microsoft publicly confirmed (finally) that this is a security vulnerability. Here are the details about CVE:
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
Last edited:
Unfortunately, there are several (possibly) vulnerable MS Office handlers:
ms-word://, ms-powerpoint://, ms-excel://, ms-visio://, ms-access://, ms-project://, ms-publisher://, ms-spd://, ms-infopath://
Except for ms-msdt protocol there are other possibilities, like ms-officecmd, etc.:
blog.0patch.com
The MS Office URI schemes can be easily abused. Here is a warning for ms-word (similar warnings are valid for ms-excel, ms-powerpoint, etc.):
So, if MS Office is installed, one has to guard against opening documents from untrusted remote systems that may include malicious code. In some cases, the malicious document can be downloaded & opened automatically even if the user does not open any document in MS Office. This can happen when using File Explorer with the enabled preview feature and the non-malicious RTF document (containing phishing link) is selected - the non-malicious document is automatically updated to include & execute malicious code from the remote website.
Such attacks are poorly detected by AVs.
Edit.
Defender with enabled ASR rules (“Block all Office applications from creating child processes”) can block this attack.
ms-word://, ms-powerpoint://, ms-excel://, ms-visio://, ms-access://, ms-project://, ms-publisher://, ms-spd://, ms-infopath://
Except for ms-msdt protocol there are other possibilities, like ms-officecmd, etc.:
Micropatching "ms-officecmd" Remote Code Execution (CVE-2021-43905)
by Mitja Kolsek, the 0patch Team Update 1/5/2022: Microsoft changed their mind and issued a CVE ID for this vulnerability: CVE-2021-4390...
The MS Office URI schemes can be easily abused. Here is a warning for ms-word (similar warnings are valid for ms-excel, ms-powerpoint, etc.):
A-7. Security Considerations
On systems that have registered handlers to recognize and act on ms-word URIs, clicking on a link to an ms-word URI will cause the registered word processing application to be launched, with instructions to the word processing application to attempt to open a document at the specified URI. Word processing applications registering to process ms-word URIs should implement protections to guard against opening documents from untrusted remote systems that may include malicious code.
So, if MS Office is installed, one has to guard against opening documents from untrusted remote systems that may include malicious code. In some cases, the malicious document can be downloaded & opened automatically even if the user does not open any document in MS Office. This can happen when using File Explorer with the enabled preview feature and the non-malicious RTF document (containing phishing link) is selected - the non-malicious document is automatically updated to include & execute malicious code from the remote website.
Such attacks are poorly detected by AVs.
Edit.
Defender with enabled ASR rules (“Block all Office applications from creating child processes”) can block this attack.
Last edited:
A joke about MS Office.
You want to buy a good coffeemaker. The salesman in the shop proposes the MS Coffeemaker because it is connected to the Internet and commonly used in businesses, schools, or institutions. Furthermore, it can make 1000 different kinds of coffee, open the doors, take photos, run moonshine, make drugs, and sing lullabies.
Yes, it is great, but you probably need it to make 10 kinds of coffee and sing lullabies - other functions can be dangerous.
You want to buy a good coffeemaker. The salesman in the shop proposes the MS Coffeemaker because it is connected to the Internet and commonly used in businesses, schools, or institutions. Furthermore, it can make 1000 different kinds of coffee, open the doors, take photos, run moonshine, make drugs, and sing lullabies.
Yes, it is great, but you probably need it to make 10 kinds of coffee and sing lullabies - other functions can be dangerous.
Last edited:
As far as I understand it (and I can be totally wrong here) you don't need any office at all to get infected. Just move your cursor over an bad .rtf within windows explorer.
I found the english article in a german website so I link both as a source.
www.huntress.com
Quote from the huntress source: Note, a Rich Text Format file (.rtf) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer. Much like CVE-2021-40444, this extends the severity of this threat by not just “single-click” to exploit, but potentially with a “zero-click” trigger.
I found the english article in a german website so I link both as a source.
Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack | Huntress
A new attack vector enables hackers to more easily compromise users with malicious Microsoft Office documents.
www.huntress.com
Quote from the huntress source: Note, a Rich Text Format file (.rtf) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer. Much like CVE-2021-40444, this extends the severity of this threat by not just “single-click” to exploit, but potentially with a “zero-click” trigger.
Last edited:
As far as I understand it you don't need any office at all to get infected. Just move your cursor over an bad .rtf within windows explorer.
I found the english article in a german website so I link both as a source.
Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack | Huntress
A new attack vector enables hackers to more easily compromise users with malicious Microsoft Office documents.
Quote from the huntress source: Note, a Rich Text Format file (.rtf) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer. Much like CVE-2021-40444, this extends the severity of this threat by not just “single-click” to exploit, but potentially with a “zero-click” trigger.
The full exploit requires a "remote template" feature to update the document and execute the malicious code. Normally the preview in File Explorer does not support it, except when MS Office is installed. If another application uses a "remote template" feature in a similar way, then it can be probably exploited, too.
The exploit extends the severity of the thread, like in Threat Advisory: Hackers Are Exploiting CVE-2021-40444, but it is not as dangerous. The CVE-2021-40444 exploited the MSHTML engine that was already a part of Windows.
Last edited:
You may also like...
-
Microsoft patches actively exploited Office zero-day vulnerability- Started by Parkinsond
- Replies: 0
-
New Multi-Stage Windows Malware Disables Microsoft Defender Before Dropping Malicious Payloads- Started by Brownie2019
- Replies: 6
-
Hackers Weaponize SVG Files and Office Documents to Target Windows Users
- Started by Brownie2019
- Replies: 2
-
Threat Actors Leverage SharePoint Services in Sophisticated AiTM Phishing Campaign
- Started by Brownie2019
- Replies: 2
-
Cloud Atlas Exploits Office Vulnerabilities to Execute Malicious Code
- Started by Brownie2019
- Replies: 1