New MS Office Zero Day Evades Defender

plat

Level 29
Top Poster
Sep 13, 2018
1,793

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
So would blocking MSDT.EXE in user space work for this special

Follina?​

Yes. If you add it to UserSpace it will be blocked in AppGuard (you use it if I correctly remember). But this will not solve the problem. This exploit will be closed soon, but the Office URI schemes will be still vulnerable to similar attacks without using MSDT.
 
F

ForgottenSeer 69673

Yes. If you add it to UserSpace it will be blocked in AppGuard (you use it if I correctly remember). But this will not solve the problem. This exploit will be closed soon, but the Office URI schemes will be still vulnerable to similar attacks without using MSDT.
Thanks Andy, yes you remembered, along with Shadow Defender and Marcrium inside Sandboxie Plus and I suppose that doesn't even include the

Unofficial but common URI schemes​

 

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
892


At 18th minute of the video the defender picks up the payload. so is it over?
 
  • Like
Reactions: Sorrento

n8chavez

Level 20
Well-known
Feb 26, 2021
972


At 18th minute of the video the defender picks up the payload. so is it over?


No, because as they said in the video, this wasn't the real "detonator" file. This was just a test. Defender only detected the test. Could it detect the real thing? Maybe. Maybe not.
 
  • Like
Reactions: Brahman

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
971
Any non trouble causing way to avoid infection using this exploit? For example configure defender high settings, or any other solution that does not require to invest time and sacrifice usability? OSArmor for example messes up with my development IDE (IntelliJ).
 
Last edited:
  • Wow
Reactions: Sorrento

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
892
Any non trouble causing way to avoid infection using this exploit? For example configure defender high settings, or any other solution that does not require to invest time and sacrifice usability? OSArmor for example messes up with my development IDE (IntelliJ).
There is a work around.... Use the below commands on an elevated command prompt to disable msdt all together.
Command to backup the registry key to C: drive:
reg export HKEY_CLASSES_ROOT\ms-msdt C:\msdt_regkey_backup.reg

• The Workaround Command:
reg delete HKEY_CLASSES_ROOT\ms-msdt /f
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Security firm Kaspersky, meanwhile, has also tracked an uptick in Follina exploits, with most hitting the US, followed by Brazil, Mexico, and Russia. "We expect to see more Follina exploitation attempts to gain access to corporate resources, including for ransomware attacks and data breaches," the Kaspersky researchers wrote.
One reason for the keen interest is that Follina doesn't require the same level of victim interaction that typical malicious document attacks do. Normally, these attacks need the target to open the document and enable the use of macros. Follina, by contrast, doesn't require the target to open the document, and there's no macro to allow. The simple act of the document appearing in the preview window, even while protected view is turned on, is enough to execute malicious scripts.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
So far from what I can gather for mitigating this threat:
  1. Block Powershell or run it in Constrained language mode
  2. Block outbound connections of Microsoft Office apps
  3. ASR: Block Office applications from creating child processes
  4. In special cases for those who run OSArmor, default rules should block the threat
  5. Probably other HIPS or similar utilities such as Appguard, Spyshelter, Comodo, etc....
Are these measures still applicable, especially the first three because they utilize built-in Defender? Other than the workaround(s) suggested by Microsoft, are there other measures that will work?
 

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
So far from what I can gather for mitigating this threat:
  1. Block Powershell or run it in Constrained language mode
  2. Block outbound connections of Microsoft Office apps
  3. ASR: Block Office applications from creating child processes
  4. In special cases for those who run OSArmor, default rules should block the threat
  5. Probably other HIPS or similar utilities such as Appguard, Spyshelter, Comodo, etc....
Are these measures still applicable, especially the first three because they utilize built-in Defender? Other than the workaround(s) suggested by Microsoft, are there other measures that will work?

Microsoft says to delete the registry key posted above. I am still looking for further inforrmation. At work, I used a powershell script to rename the key and will undo if/when MS patches this. I think 0patch also added remediation to this theat even in the free version.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
Microsoft says to delete the registry key posted above. I am still looking for further inforrmation. At work, I used a powershell script to rename the key and will undo if/when MS patches this. I think 0patch also added remediation to this theat even in the free version.
Yeah, I saw that mitigation earlier. I'm actually most interested in what Defender can do, especially when harnessed through H_C, SWH and CF tools. I'm hoping that a detailed analysis replete with a nice diagram, similar to the type that Andy Ful is so good at finding on the Internet will be available soon :)

There is some speculative commentary on another forum, I think you know which one I mean :D , that seems to imply some of the above measures I listed won't work against Follina, so I am just looking (hoping) for some expert feedback on whether or not there's substance to it. As a member in that forum's thread states, all the different information flying around the Internet on this exploit is indeed confusing to some, myself included.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
So far from what I can gather for mitigating this threat:
  1. Block Powershell or run it in Constrained language mode
  2. Block outbound connections of Microsoft Office apps
  3. ASR: Block Office applications from creating child processes
  4. In special cases for those who run OSArmor, default rules should block the threat
  5. Probably other HIPS or similar utilities such as Appguard, Spyshelter, Comodo, etc....
Are these measures still applicable, especially the first three because they utilize built-in Defender? Other than the workaround(s) suggested by Microsoft, are there other measures that will work?
  1. Do not install MS Office.
  2. Remove the file type association for ms-msdt (can be done in Windows Registry HKCR:\ms-msdt ).
  3. Block msdt.exe via SRP, Applocker, or MDAC.
  4. Block msdt.exe via Image File Execution Options.
  5. Block msdt.exe via Exploit Protection.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
  1. Do not install MS Office.
  2. Remove the file type association for ms-msdt (can be done in Windows Registry HKCR:\ms-msdt ).
  3. Block msdt.exe via SRP, Applocker, or MDAC.
  4. Block msdt.exe via Image File Execution Options.
  5. Block msdt.exe via Exploit Protection.

Wow! Your response is not really what I expected :oops: although I had recognized a while back that you are strongly opposed to MS Office suite :D So are you implying that the measures I asked about will not work, or are these suggestions of yours additional mitigative measures?

EDIT

I utilized step 3 via SRP in H_C. Thanks :)
 

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
Yeah, I saw that mitigation earlier. I'm actually most interested in what Defender can do, especially when harnessed through H_C, SWH and CF tools. I'm hoping that a detailed analysis replete with a nice diagram, similar to the type that Andy Ful is so good at finding on the Internet will be available soon :)

There is some speculative commentary on another forum, I think you know which one I mean :D , that seems to imply some of the above measures I listed won't work against Follina, so I am just looking (hoping) for some expert feedback on whether or not there's substance to it. As a member in that forum's thread states, all the different information flying around the Internet on this exploit is indeed confusing to some, myself included.

Yes I know full well the forum you mean. :)
Looks like @Andy Ful gave you the addtional firepower you have been looking for. :)
 

Brahman

Level 18
Verified
Top Poster
Well-known
Aug 22, 2013
892
Wow! Your response is not really what I expected :oops: although I had recognized a while back that you are strongly opposed to MS Office suite :D So are you implying that the measures I asked about will not work, or are these suggestions of yours additional mitigative measures?

EDIT

I utilized step 3 via SRP in H_C. Thanks :)
That's a wise decision. You can't use windows without having an SRP these days. Thank God that we have H_C, Comodo ( Cs version settings), VOODOOSHIELD, OSA etc. These days I only use windows for gaming and printing documents ( I cant still make my canon E510 printer to work on my Ubuntu 22.04 installation), for everything else I use Linux.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top