www.bleepingcomputer.com
Open in
urlscan Pro
104.20.60.209
Public Scan
Submitted URL: https://t.co/OzheyxpMJg
Effective URL: https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/
Submission: On May 30 via api from US — Scanned from DE
Effective URL: https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/
Submission: On May 30 via api from US — Scanned from DE
Form analysis 6 forms found in the DOM
https://www.bleepingcomputer.com/search/
<form title="Search site" action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" aria-label="Search Site" placeholder="Search Site">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" aria-label="Enter email address" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" aria-label="Enter email address" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="hidden" aria-hidden="true" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/
<form
action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input aria-label="Enter login name" title="Enter login name" type="text" id="ips_username" name="ips_username" autocomplete="username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input aria-label="Enter login password" title="Enter login passwod" type="password" id="ips_password" name="ips_password" autocomplete="current-password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="1" checked="checked">
<label for="remember">Remember Me</label>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="1">
<label for="anonymous">Sign in anonymously</label>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" aria-label="Login to site" title="Login" value="Login" class="bc_sub_btn">
<a aria-label="Sign in with Twitter" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter button"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a aria-label="Register account" title="Register account" href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form><form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea aria-label="Enter other reason for reporting the comment" rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p>Read our <a href="https://www.bleepingcomputer.com/posting-guidelines/">posting guidelinese</a> to learn what content is prohibited.</p>
</form>Text Content
WE VALUE YOUR PRIVACY
We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products.
With your permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may access more
detailed information and change your preferences before consenting or to refuse
consenting. Please note that some processing of your personal data may not
require your consent, but you have a right to object to such processing. Your
preferences will apply to this website only. You can change your preferences at
any time by returning to this site or visit our privacy policy.
MORE OPTIONSAGREE
*
*
*
*
*
*
* News
* Featured
* Latest
* Microsoft shares mitigation for Windows KrbRelayUp LPE attacks
* Exploit released for critical VMware auth bypass bug, patch now
* Zyxel warns of flaws impacting firewalls, APs, and controllers
* FTC fines Twitter $150M for using 2FA info for targeted advertising
* Get a Microsoft Office lifetime license in this Windows or Mac deal
* Three Nigerians arrested for malware-assisted financial crimes
* New Microsoft Office zero-day used in attacks to execute PowerShell
* EnemyBot malware adds exploits for critical VMware, F5 BIG-IP flaws
* Downloads
* Latest
* Most Downloaded
* Qualys BrowserCheck
* STOPDecrypter
* AuroraDecrypter
* FilesLockerDecrypter
* AdwCleaner
* ComboFix
* RKill
* Junkware Removal Tool
* Virus Removal Guides
* Latest
* Most Viewed
* Ransomware
* How to remove the PBlock+ adware browser extension
* Remove the Toksearches.xyz Search Redirect
* Remove the Smashapps.net Search Redirect
* Remove the Smashappsearch.com Search Redirect
* Remove Security Tool and SecurityTool (Uninstall Guide)
* How to remove Antivirus 2009 (Uninstall Instructions)
* How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
* How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
TDSSKiller
* Locky Ransomware Information, Help Guide, and FAQ
* CryptoLocker Ransomware Information Guide and FAQ
* CryptorBit and HowDecrypt Information Guide and FAQ
* CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
* Tutorials
* Latest
* Popular
* How to make the Start menu full screen in Windows 10
* How to install the Microsoft Visual C++ 2015 Runtime
* How to open an elevated PowerShell Admin prompt in Windows 10
* How to Translate a Web Page in Google Chrome
* How to start Windows in Safe Mode
* How to remove a Trojan, Virus, Worm, or other Malware
* How to show hidden files in Windows 7
* How to see hidden files in Windows
* Deals
* Categories
* eLearning
* IT Certification Courses
* Gear + Gadgets
* Security
* Forums
* More
* Startup Database
* Uninstall Database
* File Database
* Glossary
* Chat on Discord
* Send us a Tip!
* Welcome Guide
* Home
* News
* Security
* New Microsoft Office zero-day used in attacks to execute PowerShell
* AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to
LinkedInLinkedInShare to RedditRedditShare to Hacker NewsHacker NewsShare to
EmailEmail
*
NEW MICROSOFT OFFICE ZERO-DAY USED IN ATTACKS TO EXECUTE POWERSHELL
By
IONUT ILASCU
* May 30, 2022
* 10:23 AM
* 1
Security researchers have discovered a new Microsoft Office zero-day
vulnerability that is being used in attacks to execute malicious PowerShell
commands via Microsoft Diagnostic Tool (MSDT) simply by opening a Word document.
The vulnerability, which has yet to receive a tracking number and is referred to
by the infosec community as 'Follina,' is leveraged using malicious Word
documents that execute PowerShell commands via the MSDT.
This new Follina zero-day opens the door to a new critical attack vector
leveraging Microsoft Office programs as it works without elevated privileges,
bypasses Windows Defender detection, and does not need macro code to be enabled
to execute binaries or scripts.
PLAY Top Articles Video Settings Full Screen About Connatix V164162 Read More
Read More Read More Read More Read More Read More EnemyBot malware adds exploits
for criticalVMware, F5 BIG‑IP flaws 1/1 Skip Ad Continue watching after the ad
Visit Advertiser websiteGO TO PAGE
MICROSOFT OFFICE ZERO DAY FOUND BY ACCIDENT
Last Friday, security researcher nao_sec found a malicious Word document
submitted to the Virus Total scanning platform from an IP address in Belarus.
"I was hunting files on VirusTotal that exploited CVE-2021-40444. Then I found a
file that abuses the ms-msdt scheme," nao_sec told BleepingComputer in a
conversation.
"It uses Word's external link to load the HTML and then uses the ‘ms-msdt’
scheme to execute PowerShell code,” the researcher added in a tweet, posting a
screenshot of the obfuscated code below:
Obfuscated payload code, source: nao_sec
Security researcher Kevin Beaumont deobfuscated the code and explains in a blog
post that it is a command-line string that Microsoft Word executes using MSDT,
even if macro scripts are disabled.
Deobfuscated payload, source: Kevin Beaumont
The above PowerShell script will extract a Base64 encoded file from a RAR file
and execute. This file is no longer available, so it is not clear what malicious
activity was performed by the attack.
Beaumont clarifies things more saying that the malicious Word document uses the
remote template feature to fetch an HTML file from a remote server.
The HTML code then uses Microsoft's MS-MSDT URI protocol scheme to load
additional code and execute PowerShell code.
The researcher adds that the Protected View feature in Microsoft Office,
designed to alert of files from potentially unsafe locations, does activate to
warn users of the possibility of a malicious document.
However, this warning can be easily bypassed by changing the document to a Rich
Text Format (RTF) file. By doing so, the obfuscated can run “without even
opening the document (via the preview tab in Explorer).”
RESEARCHERS REPRODUCE ZERO-DAY
Multiple security researchers have analyzed the malicious document shared by
nao_sec and successfully reproduced the exploit with multiple versions of
Microsoft Office.
At the moment of writing, researchers have confirmed that the vulnerability
exists in Office 2013, 2016, Office Pro Plus from April (on Windows 11 with May
updates), and a patched version of Office 2021:
source: Didier Stevens
In a separate analysis today, researchers at cybersecurity services company
Huntress analyzed the exploit and provide more technical details on how it
works.
They found that the HTML document setting things in motion came from
“xmlformats[.]com,” a domain that is no longer loading.
Huntress confirmed Beaumont’s finding that an RTF document would deliver the
payload without any interaction from the user (apart from selecting it), for
what is commonly known as “zero-click exploitation.”
Follina payload executed just by selecting the malicious RTF document, source:
Huntress
The researchers say that depending on the payload, an attacker could use this
exploit to reach remote locations on the victim's network
This would allow an attacker to collect hashes of victim Windows machine
passwords that are useful for further post-exploitation activity.
Microsoft Office bug could help collect Windows password hashes, source:
Huntress
DETECTION COULD BE TOUGH
Beaumont warns that detection for this new exploitation method “is probably not
going to be great,” arguing that the malicious code is loaded from a remote
template, so the Word document carrying won’t be flagged as a threat since it
does not include malicious code, just a reference to it.
To detect an attack via this vector, Huntress points to monitoring processes on
the system because the Follina payload creates a child process of ‘msdt.exe’
under the offending Microsoft Office parent.
“Additionally, the sdiagnhost.exe process will be spawned with a conhost.exe
child and its subsequent payload processes” - Huntress
For organizations relying on Microsoft Defender’s Attack Surface Reduction (ASR)
rules, Huntress advises activating the “Block all Office applications from
creating child processes” in Block mode, which would prevent Follina exploits.
Running the rule in Audit mode first and monitoring the results is recommended
before using ASR, to make sure that end-users are not experiencing adverse
effects.
Another mitigation, from Didier Stevens, would be to remove the file type
association for ms-msdt so that Microsoft Office won’t be able to invoke the
tool when opening a malicious Folina document.
REPORTED TO MICROSOFT IN APRIL
Security researchers say that the Follina vulnerability appears to have been
discovered and reported to Microsoft since April.
According to screenshots published by a member of the Shadow Chaser Group - an
association of college students focused on hunting down and analyzing advanced
persistent threats (APTs), Microsoft was informed of the vulnerability but
dismissed it as “not a security related issue.”
Microsoft’s argument for this was that while ‘msdt.exe’ was indeed executed, it
needed a passcode when starting and the company could not replicate the exploit.
Microsoft's reply for the Follina vulnerability report, source: CrazyMan_Army
However, on April 12, Microsoft closed the vulnerability submission report
(tracked as VULN-065524) and classified it "This issue has been fixed," with a
remote code execution security impact.
April report for the Follina Microsoft Office RCE, source: CrazyMan_Army
BleepingComputer has reached out to Microsoft for more details about the
'Follina' vulnerability, asking why it was not considered a security risk and if
they plan on fixing it.
We will update the article when the company provides a statement.
RELATED ARTICLES:
Get more from Microsoft Office with this training suite deal
Microsoft PowerShell lets you track Windows Registry changes
Microsoft: Office 2013 will reach end of support in April 2023
Windows 11 tool to add Google Play secretly installed malware
Microsoft April 2022 Patch Tuesday fixes 119 flaws, 2 zero-days
* HTML
* Microsoft
* Microsoft Office
* PowerShell
* Zero-Click
* Zero-Day
* Facebook
* Twitter
* LinkedIn
* Email
*
IONUT ILASCU
Ionut Ilascu is a technology writer with a focus on all things cybersecurity.
The topics he writes about include malware, vulnerabilities, exploits and
security defenses, as well as research and innovation in information security.
His work has been published by Bitdefender, Netgear, The Security Ledger and
Softpedia.
* Previous Article
* Next Article
COMMENTS
* BRECHTMO - 29 MINUTES AGO
*
*
Would applocker block the execution of the payload?
POST A COMMENT COMMUNITY RULES
YOU NEED TO LOGIN IN ORDER TO POST A COMMENT
Not a member yet? Register Now
YOU MAY ALSO LIKE:
Popular Stories
* New Windows Subsystem for Linux malware steals browser auth cookies
* Microsoft: The new Windows 11 features from Build 2022
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer, please use the form
below.
NEWSLETTER SIGN UP
* Follow us:
*
*
*
*
MAIN SECTIONS
* News
* Downloads
* Virus Removal Guides
* Tutorials
* Startup Database
* Uninstall Database
* File Database
* Glossary
COMMUNITY
* Forums
* Forum Rules
* Chat
USEFUL RESOURCES
* Welcome Guide
* Sitemap
COMPANY
* About BleepingComputer
* Contact Us
* Send us a Tip!
* Advertising
* Write for BleepingComputer
* Social & Feeds
* Changelog
Terms of Use - Privacy Policy - Ethics Statement
Copyright @ 2003 - 2022 Bleeping Computer® LLC - All Rights Reserved
LOGIN
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
--------------------------------------------------------------------------------
Not a member yet? Register Now
REPORTER
HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?
* Spam
* Abusive or Harmful
* Inappropriate content
* Strong language
* Other
*
Read our posting guidelinese to learn what content is prohibited.
Submitting...
SUBMIT