Cyble-Microsoft-MSDT-Zero-Day-Vulnerability

New Zeroday Exploit spotted in the wild

CVE-2022-30190 – Microsoft Support Diagnostic Tool (MSDT) RCE Vulnerability

In a recent blog post by Microsoft, a new Zero-Day vulnerability (CVE-2022-30190) was discussed. This vulnerability affects Microsoft Support Diagnostic Tool (MSDT), and the blog post provides some guidance on mitigating the impact of this vulnerability.

The post mentions that a Remote Code Execution (RCE) vulnerability present in MSDT allows the attackers to execute arbitrary code by exploiting it. MSDT is a diagnostic tool that collects information and sends it to Microsoft for analysis when users encounter certain issues. Microsoft uses this information to find solutions for the problems encountered by users.

Prior to the publication of the Microsoft blog, a security researcher, nao_sec, found an interesting malicious document that uses a Microsoft Word external link to load an HTML file hosted on a remote server. The HTML file further uses the “ms-msdt” scheme to execute malicious PowerShell code. Figure 1 shows nao_sec’s Twitter post.

Figure 1 – Researcher’s Tweet highlighting Vulnerability CVE-2022-30190

After this tweet, security researchers investigated and reproduced the exploit using different versions of Microsoft Office. The POC is also now available on GitHub to test the exploit, as shown in the figure below.

Figure 2 – Exploit POC

Cyble Research Labs was able to test the above POC and exploit the MSDT vulnerability, as shown below.

Figure 3 – Exploitation of MSDT Vulnerability

Security Researcher Kevin Beaumont mentioned that the vulnerability was first exploited in the wild over a month ago. The “invitation for an interview ” file was spotted targeting a Russian user in the wild.  

Figure 4 – Document Targeting Russian User

Kevin named this vulnerability “Follina” because the file name contains the string “0438”, which is the telephone code for the Italian municipality of Follina.

Technical Analysis

Cyble Research Labs analyzed the sample identified by nao_sec (sha256: a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567a ec096784).

The maldoc contains a file “document.xml.rels,” which is responsible for loading the “RDF8421.html” file hosted in the remote server “hxxp.xmlformats.com.”

Figure 5 – Document Loads HTML File

The HTML file further executes a PowerShell command using ms-msdt schema, as shown below.  

Figure 6 – PowerShell Command

Upon execution, the PowerShell command further decodes the base64 encoded content and performs other malicious activities.

Figure 7 – Decoded Base64 String

The PowerShell content performs the following tasks:

  • Runs with a hidden window
  • Terminates msdt.exe in case it is running
  • Moves the “05-2022-0438.rar” file to C:\Users\public and renames it as “1.rar”
  • Checks the base64-encoded CAB file (MSCF header) inside the “1.rar” file and saves it as “1.t”
  • Decodes the CAB file “1.t” and saves it as “1.c”
  • Expands “1.c” and executes the file “rgb.exe”

The file “05-2022-0438.rar” was not available for analysis; the functionality of rgb.exe. is not fully clear at the moment.

The interesting part is that the malware leverages the ms-msdt schema to execute malicious code. The following process chain was observed after execution.

Figure 8 – Process Chain

It’s a good idea to check the above chain to identify the exploitation. The tracking of the msdt.exe process launched by any process like winword.exe or excel.exe indicates the exploitation of MSDT vulnerability.

Workarounds:

Microsoft also advised users to perform the following workarounds:

Disabling the MSDT URL Protocol:

Users are advised to disable the vulnerable MSDT URL protocol, which will, in turn,  prevent troubleshooters from being launched as links. Microsoft has advised that users delete the registry key after taking a backup.

The figure below shows the MSDT registry key.

Figure 9 – MSDT Registry Key

disabling MSDT:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename.”
  • Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f.”

How to undo the workaround:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg import filename.”

Conclusion

Threat Attackers are constantly looking for new techniques to target individuals and organizations. In this case, they are leveraging the vulnerability in MSDT to execute malicious code.

Cyble will closely monitor the MSDT vulnerability and continue to update our readers with the latest information.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety measures needed to prevent malicious attacks:

  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.

Users should take the following steps after the malicious attack:

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impacts and cruciality Of Malware Attacks:

  • Loss of Valuable data.
  • Loss of organization’s reliability or integrity.
  • Loss of organization’s business information.
  • Disruption in organization operation.
  • Economic loss

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
52945af1def85b171870b31fa4782e5 MD5Docx Exploit
06727ffda60359236a8029e0b3e8a0fd11c23313SHA-1Docx Exploit
4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784SHA-256           Docx Exploit
f531a7c270d43656e34d578c8e71bc39MD5Docx Exploit
934561173aba69ff4f7b118181f6c8f467b0695dSHA-1Docx Exploit
710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfaSHA-256Docx Exploit
hxxp://www.xmlformats[.]comURLC&C URL
141[.]105.65.149IPC&C IP
Scroll to Top