A few days ago, Twitter user and Japanese security vendor Nao_sec acknowledged a Word document that with a quite strange appearance in the wild, which was uploaded from Belarus IP address:
Researcher Kevin Beaumont calls it a” Follina exploit” as he went on Twitter to express his views. He says:
The document often uses the “word remote template” feature to retrieve the HTML file from a remote web server. In order uses ms-msdt MS Protocol URI scheme to load certain code and execute a particular PowerShell, which should be impossible.
The code acts particularly peculiar when its decoded:
Although a lot is going on, the main problem with Microsoft Word is that it executes the code through msdt (a support tool) even when the macros aren’t enabled.
The protected view does take effect, though. If the document format is changed to RTF form, it runs without the document opening (through the preview tab in the explorer) instead of the protected view.
The vulnerability gets its name Follina from the spotted sample of the file reference, 0438, an area code of Follina, Italy.
The bigger picture
It is an attempt from the malware writers to exploit a possible vulnerability in Microsoft office code. It allows them to get malicious code without the security of detection in a multi-staged attack, as per the security researchers.
Nao Sec found the zero-day exploit embedded in the word document that first loads an HTML (hypertext markup language) file from a remote server. It later uses the MSDT diagnostics tool handler, listed for MS Office protocol, to operate the Windows PowerShell code.
The exploit can also potentially work with Office macros disabled that traditionally run the malware.
The Microsoft Defender for the Endpoint doesn’t currently detect Follina, and unfortunately, as per Beaumont, the exploit also works for the older versions of Office, including 2013 and 2016.
Didier Stevens, another researcher, also managed to get Follina MSDT to exploit operating on the completely patched Office 2021 version. Although, the exploit didn’t work with the current and insider preview office versions
Hence, he states that it’s an indication that Microsoft either had the vulnerability fixed around May or the hacker was “too much of an idiot” to exploit it in the latest office versions.
Users with the Office E5 license can add a defender for the endpoint query to notify about the exploit that can currently pass through the anti-malware tool without detection.
Previously, security vendor SySS, Matthias Zöllner, stated that the handlers could directly abuse the MS office protocol to open files through specially crated uniform resource location links.