LetsDefend- SOC 173- Follina 0-Day detected // Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability, CVE-2022–30190
CVE-2022–30190 is a zero day vulnerability which has been discovered by the twitter account nao_sec.
The name of the discovered maldoc is “05–2022–0438.doc,” the vulnerability was therefore nicknamed by Kevin Beaumont as Follina, a municipality in the province of Treviso(Italy) that has the number 0438 as its own area code.
Follina is unique since it does not rely on Office macros; instead, the attacker can execute malicious code by invoking MSDT (Microsoft Support Diagnostic Tool) over URL protocol from a calling application (e.g., Word). Indeed, the word document has a remote template that can be used to retrieve a malicious HTML file, allowing an attacker to run Powershell commands from within Windows.
On LetsDefend.io we can investigate the Follina incident as an SOC analyst.This is all the information we are given to begin the analysis:
We note that the alert trigger reason is the msdt.exe execution after opening an office document. Then we can look up the IP/hostname that is provided to us in the security endpoint page.
If we click on CMD history we see that this command has been executed:
While on process history we can read the code encoded in base64:
The first question we are asked when we start the playbook is as follows:
The correct answer is unknown or unexpected services and applications configured to launch automatically on system boot because as we saw earlier malicious code is executed when the word file is opened.
The next question is verify whether the malware is quarantined:
Since the file has not been quarantine /cleaned yet, we select “Not Quarantined”.
The next step is malware analysis. The answer to this question is clearly “malicious” as we can see from the following screenshots.
On VirusTotal we see that the document “05–2022–0438.doc” is recognized as malicious:
On Anyrun we can also see how once the word doc contained in the zipper file is opened, a malicious code is immediately executed:
The final question is whether anyone has requested theC2 (command and control).
In the log management page we see that multiple requests were made from IP 172.16.17.39 to the malicious address so the answer to the question is “accessed”.
Also if we open the log, we can read that after opening the word document, a request is made for malicious URL “www.xmlformats.com" which contains HTML file “RDF842l.html” that activates the exploit.
The final step is to request machine containment and write the report for this security incident.