cyble-cve-2022-30190-exploited-in-the-wild

CVE-2022-30190 Actively Exploited in the Wild: MSDT Vulnerability Used For Spreading PowerShell Stealer

Cyble Research Labs has been actively monitoring CVE-2022-30190, and in our previous research, we discussed how the vulnerability was actively exploited in the wild using a malicious word document. Recently we came across a tweet where researchers mentioned the exploitation of this MSDT vulnerability through Rich Text Format (RTF). This information indicates that CVE-2022-30190 is under active exploitation using different attack vectors. This blog will discuss how the RTF file is utilized to exploit MSDT vulnerability to deliver PowerShell Stealer.

Exploit Analysis

A specially crafted RTF document is used in this attack using Employment Theme, as shown in Figure 1. 

Figure 1 – Malicious RTF File

Upon execution, the RTF document tries to load an html file and executes it without any user interaction. The below image shows the OLE object embedded in the RTF file, which is responsible for loading 1.html hosted on the remote server.

Figure 2 – OLE Object

The file 1.html has code to exploit MSDT vulnerability and downloads PowerShell stealer from the remote server. The following Figure shows malicious PowerShell code, which contains the final payload delivery link.

Figure 3 – MSDT Exploit Code

Payload Analysis

After successfully exploiting the MSDT vulnerability, the final stealer PowerShell code is downloaded and executed in the victim’s machine without leaving any trace in the system. This stealer can steal data from the registry and multiple applications such as browsers, email, and RDP clients. The Figure below shows the PowerShell stealer.

Figure 4 – PowerShell based Stealer

The stealer steals data from Mozilla Firefox, Opera, Yandex, Vivaldi, CentBrowser, Comodo, Chedot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc, Thunderbird, PuTTY, Navicat, and Winscp.

The stealer harvests information from the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ToDesk
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Oray SunLogin RemoteClient
  • HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSFtpsvc\Parameters\Virtual Roots\ControlSet002
  • HKEY_LOCAL_MACHINE\SOFTWARE\Cat Soft\Serv-U\Domains\1\UserList
  • HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSFtpsvc\Parameters\Virtual Roots
  • HKEY_CURRENT_USER\SOFTWARE\SimonTatham”
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0
  • HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers
  • HKEY_CURRENT_USER\Software\Microsoft\Office\16.0
  • HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2
  • HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers

It executes the following commands to harvest the victim’s data:

  • Systeminfo
  • ipconfig /all
  • net config workstation
  • net time /domain
  • net group /domain
  • net accounts /domain
  • wmic useraccount get /all
  • wmic product get name,version

After harvesting data, the stealer compresses stolen data and exfiltrates it to 45[.]77.156[.]179. The C&C server has an open directory of exfiltrated logs, as shown in the Figure below.

Figure 5 – Open Directory

Conclusion

The threat actors actively exploit CVE-2022-30190. TAs are using different attack vectors to exploit this vulnerability. In this particular case, instead of Microsoft word files, attackers used RTF files to download an information stealer into the victim’s system.

We will update CVE-2022-30190 related attacks with further information in the future.

Our Recommendations 

  • Follow mitigation procedures provided by Microsoft in their blog.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices. 
  • Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile. 
  • Refrain from opening untrusted links and email attachments without first verifying their authenticity.
  • Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. 
  • Block URLs that could spread the malware, e.g., Torrent/Warez. 
  • Monitor the beacon on the network level to block data exfiltration by malware or TAs. 
  • Enable Data Loss Prevention (DLP) Solutions on the employees’ systems. 

MITRE ATT&CK® Techniques

12  Technique IDTechnique Name
Initial AccessT1566Phishing
ExecutionT1203Exploitation for Client Execution
Defense EvasionT1140Deobfuscate/Decode Files or Information
DiscoveryT1087
T1046
Account Discovery
Network Service Discovery
Command and ControlT1071Application Layer Protocol
ExfiltrationT1041Exfiltration Over C2 Channel

Indicators of Compromise (IoCs) 

IndicatorsIndicator typeDescription
242d2fa02535599dae793e731b6db5a2
0646ef9e20628c47c2140c0fc4b51ce3a7ad4c30
ca7e9c65fd2cec62110b50581529198c43b7982820a38c912baa81d0294b8126
MD5
SHA-1
SHA-256
Malicious RTF File
ea483ab89d8b9baf00b953f0636e0520 b0b952334f0d0195b06faed532170263f7fad6c2 5385a798d136365b644199359dc2662de3b0d6c5adc09e4cf9cada074e8a9338MD5
SHA-1
SHA-256
HTML exploit 1.html  
hxxp://45.76.53[.]253/1.htmlURIExploit
hxxps://seller-notification[.]live/Zqfbe234dgURIMalicious Payload
dbd2b7048b3321c87a768ed7581581db 0031893be42999b493c3e3c7e88d006db44d425f 0d7f8698dcb03f879bcf4222852e859e1f8d84e61ee25af12312eda290ccde88MD5
SHA-1
SHA-256
PowerShell Stealer
Scroll to Top