New MS Office Zero Day Evades Defender

Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
Trooper said:
Thank you. But for Follina having Powershell in Contrained Language Mode we are safe correct?
Click to expand...

Yes. Follina is completely blocked by CLM because before executing the PowerShell code from the HTML script, the sdiagnhost.exe application executes the PowerShell script: ‘C:\Windows\diagnostics\system\PCW\RS_ProgramCompatibilityWizard.ps1
which is blocked by CLM.
So, even the PowerShell code in the HTML script would not use advanced functions, the attack will fail.

wat0114 said:
This PS CL Mode Bypass, posted in "another forum" looks interesting:

github.com

GitHub - calebstewart/bypass-clm: PowerShell Constrained Language Mode Bypass

PowerShell Constrained Language Mode Bypass. Contribute to calebstewart/bypass-clm development by creating an account on GitHub.
github.com github.com

I'm assuming, hopefully correctly, that selecting InstallUtil.exe under SRP Blocked sponsors would stop this.
Click to expand...

The bypass is useful when the attacker first executes the loader bypass-clm.exe which is a kind of fake PowerShell, and next from this fake PowerShell executes attacking tools written for PowerShell.
But, this will not work with Follina exploit. Simply, the ms-msdt will not use bypass-clm.exe.
 
  • Like
Reactions: harlan4096, Trooper and wat0114
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
Andy Ful said:
The bypass is useful when the attacker first executes the loader bypass-clm.exe which is a kind of fake PowerShell, and next from this fake PowerShell executes attacking tools written for PowerShell.
But, this will not work with Follina exploit. Simply, the ms-msdt will not use bypass-clm.exe.
Click to expand...

Thank you. How could this particular Bypass be mitigated, at least by a home user? Sorry, I just can't picture the exploit chain from beginning to end :(
 
  • Like
Reactions: Trooper
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
wat0114 said:
Thank you. How could this particular Bypass be mitigated, at least by a home user? Sorry, I just can't picture the exploit chain from beginning to end :(
Click to expand...
https://malwaretips.com/threads/simple-windows-hardening.102265/post-992545

There are two simple mitigations. Each one can block Follina.
  1. Untick in Word the option "Update automatic links at open" and do not use the Explorer preview feature.
  2. Use the Windows Policy that blocks executing PowerShell scripts.
The first option can also prevent many other threats that use the remote template feature of MS Office via embedded links.
 
Last edited:
  • +Reputation
  • Like
Reactions: harlan4096, Trooper and wat0114
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
@Andy Ful

thank you again for setting the record straight. I didn't know you posted in the SWH thread within the hour. Very nice (y)

I disabled "Update automatic links at open" in both Word and Excel :)
 
  • Like
Reactions: Andy Ful and Trooper
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
An interesting Follina exploit used to push Qakbot malware:

isc.sans.edu

InfoSec Handlers Diary Blog - SANS Internet Storm Center

TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt), Author: Brad Duncan
isc.sans.edu isc.sans.edu

The shortcut uses Rundll32.exe to run the hidden dll file for Qakbot. I guess the dll file would not be hidden from view if the File explorer option to display hidden files is enabled?
 
  • Like
Reactions: Trooper and Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
wat0114 said:
An interesting Follina exploit used to push Qakbot malware:

isc.sans.edu

InfoSec Handlers Diary Blog - SANS Internet Storm Center

TA570 Qakbot (Qbot) tries CVE-2022-30190 (Follina) exploit (ms-msdt), Author: Brad Duncan
isc.sans.edu isc.sans.edu

The shortcut uses Rundll32.exe to run the hidden dll file for Qakbot. I guess the dll file would not be hidden from view if the File explorer option to display hidden files is enabled?
Click to expand...
Yes for hidden attribute and No for system attribute. You can view the files with system attributes as follows:

1654984710247.png


This will display the "Folder options".
  • Select the View tab. In Advanced settings,
  • select Show hidden files, folders, and drives.
  • Select Ok.
 
Last edited:
  • Like
Reactions: plat, Trooper, harlan4096 and 1 other person
wat0114

wat0114

Level 12
Verified
Top Poster
Well-known
Apr 5, 2021
570
Andy Ful said:
Yes for hidden attribute and No for system attribute. You can view the files with system attributes as follows:

...............

This will display the "Folder options".
  • Select the View tab. In Advanced settings,
  • select Show hidden files, folders, and drives.
  • Select Ok.
Click to expand...

Yup, always one of the first things I do after installing Windows, as well as unchecking both "Hide extensions for known file types" and "Hide protected operating system files" .
 
  • Like
  • Applause
Reactions: plat, Trooper and Andy Ful
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,593
Microsoft patches actively exploited Follina Windows zero-day
Microsoft has released security updates with the June 2022 cumulative Windows Updates to address a critical Windows zero-day vulnerability known as Follina and actively exploited in ongoing attacks.

"Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action," Microsoft said in an update to the original advisory.

"Microsoft recommends installing the updates as soon as possible," the company further urged customers in a post on the Microsoft Security Response Center.

Tracked as CVE-2022-3019, the security flaw is described by Redmond as a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug that affects all Windows versions still receiving security updates (i.e., Windows 7+ and Server 2008+).

Attackers who successfully exploit this zero-day can execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, and even create new Windows accounts as allowed by the compromised user's rights.

As security researcher nao_sec found, Follina exploits allow threat actors to execute malicious PowerShell commands via MSDT in what Redmond describes as Arbitrary Code Execution (ACE) attacks when opening or previewing Word documents.

While applying today's updates does not prevent Microsoft Office from automatically loading Windows protocol URI handlers without user interaction, it blocks PowerShell injection and disables this attack vector.
Click to expand...
www.bleepingcomputer.com

Microsoft patches actively exploited Follina Windows zero-day

Microsoft has released security updates with the June 2022 cumulative Windows Updates to address a critical Windows zero-day vulnerability known as Follina and actively exploited in ongoing attacks.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Thanks
  • Applause
Reactions: plat, wat0114, SeriousHoax and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,129
The tweet is a warning for administrators in Enterprises who sometimes use this policy - such policies are known to weaken the system protection, so they must be used with caution. Although I've seen somewhere (not on MT) a suggestion that it is a patch bypass, in fact, it is not exactly the bypass. It is rather a suggestion that restrictions of the Microsoft diagnostic functions can be sometimes troublesome, so administrators could set a policy to avoid this. The cons are that Follina exploits (and probably some others) will work with this policy enabled, so the possible exploits has to be mitigated in another way. Furthermore, this policy can be applied temporarily when some advanced diagnostic is necessary.

In the attacks on most computers, the Follina exploit is used with standard privileges and changing this policy requires high privileges. When the malware has got high privileges, then Follina exploit is not needed - the attacker has already gained much more.

Post edited
 
Last edited:
  • Like
Reactions: Trooper, blackice, plat and 3 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Microsoft: Unpatched Office zero-day exploited in NATO summit attacks
Replies
0
Views
1,054
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware
Replies
0
Views
727
News Archive
silversurfer
silversurfer
Bot
    • Like
    • +Reputation
Security News New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT
Replies
0
Views
885
Security News
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top