{"id":19185,"date":"2022-05-30T17:20:56","date_gmt":"2022-05-31T01:20:56","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/05\/30\/news-12918\/"},"modified":"2022-05-30T17:20:56","modified_gmt":"2022-05-31T01:20:56","slug":"news-12918","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/30\/news-12918\/","title":{"rendered":"Malicious Word doc taps previously unknown Microsoft Office vulnerability"},"content":{"rendered":"

Credit to Author: Andrew Brandt| Date: Tue, 31 May 2022 00:41:42 +0000<\/strong><\/p>\n

\n

Over the weekend, several security researchers noticed<\/a> that an unknown threat actor has been spreading a malicious Word document that appears to invoke a previously undisclosed vulnerability in Microsoft Office. The vulnerability permits the malicious document to open a URL and begin an infection chain.<\/p>\n

The infection process leverages the Windows utility msdt.exe, which is used to run various Windows troubleshooter packs. The malicious document that abuses this tool invokes it<\/a> without user interaction, and it can allegedly run even if you just \u201cpreview\u201d the document in Windows Explorer (but only if it\u2019s an RTF file).<\/p>\n

\"\"<\/a>
An example of how the malicious document appears in Process Explorer, spawning msdt.exe as a child of WINWORD.EXE<\/figcaption><\/figure>\n

The researcher Kevin Beaumont has published<\/a> a good survey of how the attack unfolds (he named it “Follina”) and has linked to other examples of malicious documents researchers have found in the past few days, some dating back to March.<\/p>\n

How the exploit works<\/h3>\n

The script in one known-malicious Word document calls an HTML file from a remote URL. The attackers chose to use the domain xmlformats[.]com<\/strong>, probably because it\u2019s very similar looking to the legitimate openxmlformats.org<\/em> domain used in most Word documents.\"\"<\/a>That HTML file contains a block of code with weird characteristics: 6324 junk bytes (61 lines of commented rows of 100 \u2018A\u2019 characters), followed by a lightly obfuscated script that, at one point, downloaded and executed a payload.<\/p>\n

\"\"<\/a>Word from my Labs colleagues is that we may not have seen the complete chain of events relating to the samples that have been publicized. But there are mitigation steps you can take right away to prevent it from being used against you (or machines you manage).<\/p>\n

Detection and guidance<\/h3>\n

As mail appears to be a threat vector, Sophos products will detect the attachment under the CXmail\/OleDl-AG<\/strong> detection name, when it’s embedded in a message. Additionally, we have released the Troj\/DocDl-AGDX<\/strong> detection for known variants of the maldocs (and the HTML they bring down). The behavioral detection team is also updating our rules to enhance our in-depth protection and monitor for activity.\u00a0<\/p>\n

We\u2019ll continue working on this and will be monitoring for additional samples or abuse of this novel exploit, and plan to publish more information about the bug in the coming days.<\/p>\n

Acknowledgments<\/h3>\n

SophosLabs acknowledges the efforts of Richard Cohen, Gabor Szappanos, Ronny Tijink, and Michael Wood, who coordinated internal efforts to track and counter the Follina bug, and the external researchers who brought this to the attention of the security community.<\/p>\n

 <\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Andrew Brandt| Date: Tue, 31 May 2022 00:41:42 +0000<\/strong><\/p>\n

MSDT.exe misuse in May makes for Memorial Day Monday mayhem<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[129,26337,10909,26338,26345,26346,18513,16771,10467,11524],"class_list":["post-19185","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-featured","tag-follina","tag-microsoft-office","tag-ms-msdt","tag-msdt","tag-msdt-exe","tag-sophoslabs-uncut","tag-threat-research","tag-vulnerability","tag-zero-day"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19185"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19185\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19185"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}