CVE-2022-30190 (aka Follina) is a 0-day vulnerability that was disclosed on Twitter last May 27th by the nao_sec Cyber Security Research Team. According to their announcement, this vulnerability was found in (at the time) recently uploaded sample to VirusTotal from Belarus, which suggested it was actively being exploited.
This vulnerability in Microsoft Support Diagnostic Tool (MSDT) can enable remote code execution (RCE) when MSDT is invoked using the URL protocol from a calling application, such as Microsoft Word. This, combined with the remote template feature in Microsoft Word, allows an attacker to link a document with a template containing arbitrary code to execute. This vulnerability attracted a lot of attention within the security industry, with several Follina active attacks detected shortly after details were available.
This post provides a high level overview of all observed attacks with a focus on the ones that took place before the 0-day was publicly disclosed, and practical recommendations on how to monitor and hunt Follina samples with VirusTotal.
Initial case walkthrough
The initially reported sample was this malformed Microsoft Word document. From either the Relations or Behaviour tabs it is possible to spot the request for the remote template:
Being docx files basically ZIP files, we can try to find the specific file inside the docx that made the request in the “Bundled Files” section within the Relations tab. Here “word/_rels/document.xml.rels” looks specially interesting, detected as suspicious by a high number of AVs. The Content tab for this XML file shows the URL to the remote template, among others.
We want to check if other files were also using this malicious template. For this, we can navigate to the URL entity and explore inside Relations/Communicating or Relations/Referrer files. We can also check if anything else was downloaded from this suspicious URL under Relations/Downloaded files or, alternatively, using Details/Body SHA-256 (which should work well for URLs returning a single file). The downloaded file is the remote template fetched by the malicious document we are analyzing.
The remote template content shows what appears to be a Base64-encoded payload. After decoding, we get the malicious Powershell script executed by the sample:
Hunting for more samples
During this stage a lot of the effort will be on filtering out false positives, including PoCs from researchers. To find a starting set of samples, a first approach could be pivoting on crowdsourced Yara rules detecting this exploit:
To find interesting samples, an idea could be using the first submission (fs) modifier to retrieve samples uploaded to VirusTotal before the vulnerability was published:
An alternative way to find a set of samples could be using VT Grep capabilities to search for specific Follina-content in bundled XML files:
Please note VT Grep has some limitations in the number of additional modifiers it can be used with.
An interesting pivoting point are document properties (such as author) to get all the files created or edited by a certain person. Lots of PoCs developers use publicly disclosed documents to simply modify the address hosting the malicious remote template. For instance, the following VTI query provides a nice starting point:
We can add extra filters to the previous searches to exclude obvious PoCs, such certain file names or adding a file type filter to exclude bundled XML files. The example below uses a crowdsourced YARA rule as starting set of results and uses some of these filter ideas:
Searching for remote templates used by Follina samples has the advantage that we don’t need to rely on the format (docx, RTF, etc) of the first stage document. It can also be useful to discover additional documents using the same template.
The analyzed remote template gives us ideas on what could be a right combination of file properties to search for. Interestingly, in this case the combined output of two different tools (File type identification and file’s Magic bytes) provides a first approach:
The following query will retrieve HTML documents containing Powershell scripts, which is interesting nevertheless:
This query does not rely on AV’s verdicts, thus not risking to miss something undetectable, however provides false positives (not follina-related samples). Additionally, not all Follina remote templates get indexed as HTML documents. Another approach could use VT Grep for Powershell scripts including a call to MSDT:
Another variant of this idea omits the Powershell tag and relies only on file content. The size keyword is used as an additional filter based on the size of the discovered remote templates:
This last approach is quite similar to a classic YARA hunting which we could use in Livehunt and Retrohunt services. Examples of generic YARA rules are provided at the end of this post.
Our findings
Even though most of the samples available in VirusTotal were already covered by security vendors (like Malwarebytes, Proofpoint etc), we wanted to summarize them all together along with our own findings.
We started by getting all documents containing references to remote Html templates ending with exclamation marks (“html!” or “htm!”) and then we divided them into two groups: submitted before and submitted after the public vulnerability disclosure.
We only found 10 samples submitted to VirusTotal before May 28th. At least a few of them (below) look like PoCs created before the public disclosure and the first observed in-the-wild attack, which is interesting:
Follina exploit implementations share similarities with CVE-2021-40444 (RCE in Microsoft MSHTML), using a similar approach to fetch a remote template from an XML Relationship file. Follina’s payloads are located in the remote template, making it necessary to analyze the remote payload for ful visibility of the attack.
B22db9ccd50064cbaf5876a4a318ec8eea284585
F5978deec22543a301e7ff4e01db950d8f474a4c
934561173aba69ff4f7b118181f6c8f467b0695d
447139a8cfc9660215bef2230e25885f553ddba8
818803f1bd2d2ac66b2e36ccd9971ba85b8901f0
06727ffda60359236a8029e0b3e8a0fd11c23313
Some evidence, including pdns history and public email addresses, seem to indicate that one of the domains hosting a payload might be a compromised legitimate server. A second sample (in the “After the disclosure” set described below) also seems to abuse a compromised domain.
To exclude PoCs from actual attacks, we filtered out samples using obvious names (like “follina.doc”, “poc.docx”, “test”, etc) as well as samples using local, non-existing C2 addresses or previously known C2 addresses (to avoid slightly modified resubmissions).
We found a set of samples reusing a single initially disclosed blank document and replacing the C2 with their own:
In some cases, attackers implemented their own malformed document with specific spear phishing content.
This document document mimics an invitation to Doha Expo in Qatar and requests a remote template hosted at files[.]attend-doha-expo[.]com. Its parent domain was registered right after the exploit's public disclosure. However, subdomain’s pdns seem to indicate it was only available between May 30th to June 1st, probably the domain was timely taken down.
A second document named جدري القردة.docx (“Monkeypox.docx”) was uploaded from Saudi Arabia and looks like a Monkeypox virus warning issued by the Saudi Ministry of Health. It requests a remote template hosted at 212.138.130[.]8 which does not seem to be available since June 2nd. Like in the previous case, it was available for a really short period of time.
Conclusions
Used to weaponize first-stage documents to set a foot in the victim, Follina is an example of a vulnerability well worth monitoring. The retrospective analysis provides insights on for how long this vulnerability has been abused before being identified. Continuous monitoring helps identify additional indicators and avoid attacks against our organization, but most importantly, learn how attacks evolve and what kind of malware they are using. Threat intelligence should be actionable.
We provided several ideas on how you can use VirusTotal to hunt for new samples to discover new variations of this attack, which could be reused for any other campaign you would like to monitor in your Threat Hunter journey. As always, we are happy to hear any additional techniques you would like to share with us.
Happy hunting!
IOCs
Please note that despite our filtering efforts still there could be some PoCs/False Positives samples
9b684bf6c8c2a6ed1b65cf79183e561d705a453a
8f04a98855e2cec47325930f71db7480c44d6332
B7a85683f7c86ea67d09cb6e0987f5845c274217
3938dd5317ff3f2fa4baa06f39c2b240e2a896e9
B2ed5e70a8cb0f1a7716349ff91def7ba6d93c41
66a6c1fc0a0a08d0cf3685517a0def6689554e84
meta:
author = "Alexey Firsh"
date = "2022-06-01"
hash = "8e986c906d0c6213f80d0224833913fa14bc4c15c047766a62f6329bfc0639bd"
strings:
$s1 = "ms-msdt:" fullword ascii
$s2 = "location.href" fullword ascii
condition:
filesize < 100KB
and all of ($s*)
}
}