According to reports, malware loads itself from remote servers and circumvents Microsoft’s Defender AV scanner.
UPDATE
A zero-day flaw in Microsoft Office enables adversaries to execute malicious code on targeted systems by exploiting a flaw in the remote Word template feature.
Japanese security vendor Nao Sec tweeted a warning about the zero-day vulnerability over the weekend.
The vulnerability was dubbed “Follina” by renowned security researcher Kevin Beaumont, who explained that the zero-day code references the Follina, Italy, area code of 0438.
The flaw, according to Beaumont, exploits the remote template feature in Microsoft Word and does not rely on a typical macro-based exploit path, which is common in Office-based attacks. According to Nao Sec, a live instance of the bug was discovered in a Word document template and is linked to an Internet Protocol (IP) address in Belarus.
It is unknown if adversaries have actively exploited the zero-day flaw. Existing proof-of-concept code demonstrates that Office versions ranging from 2003 to the current release are vulnerable to attack. Instead of a patch, security researchers say users can mitigate risk by implementing Microsoft Attack Surface Reduction measures.
Utilization of Follina
Researchers at Nao Sec explain that the malicious template loads an exploit via an HTML file from a remote server along the path to infection.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
The loaded HTML employs the MSProtocol URI scheme “ms-msdt” to load and execute a snippet of PowerShell code.
According to Nao Sec, “it uses Word’s external link to load HTML and the’ms-msdt’ scheme to execute PowerShell code.”
Microsoft Support Diagnostic Tool (MSDT) collects information and sends reports to Microsoft Support. This troubleshooting wizard will analyze the gathered information and attempt to locate a solution to the user’s problems.
Beaumont discovered that the vulnerability allows code to execute via MSDT “even if macros are disabled.”
“Protected View does activate; however, if you convert the document to RTF format, it runs without even opening the document (via the preview tab in Explorer), let alone Protected View,” Beaumont elaborated.
Beaumont confirmed that the exploit currently affects older versions of Microsoft Office 2013 and 2016 and “missed execution” of malware endpoint detection. The vulnerability affects even the most recent version of Microsoft Office, according to additional research.
Didier Stevens, an additional security researcher, stated that he exploited the Follina vulnerability in a fully patched version of Microsoft Office 2021, and John Hammond, a cybersecurity researcher, tweeted a working demonstration of Follina.
By appending the endpoint query to Defender, Microsoft users with E5 licenses can detect the exploit. In addition, Warren recommends employing Attack Surface Reduction (ASR) rules to prevent office applications from spawning child processes.
