Chinese hackers exploit the latest Microsoft Office vulnerability. An advanced persistent threat (APT) actor aligned with Chinese state goals has been discovered exploiting a new zero-day vulnerability in Microsoft Office to gain code execution on impacted PCs.
In a tweet, corporate security firm Proofpoint claimed, “TA413 CN APT found [in-the-wild] exploiting the Follina zero-day leveraging URLs to distribute ZIP packages containing Word Documents that leverage the approach.”
“Campaigns pose as the Central Tibetan Administration’s ‘Women Empowerment Desk,’ and use the domain tibet-gov.web[.]app.”
TA413 is primarily known for its activities targeting the Tibetan diaspora in order to distribute implants such as Exile RAT and Sepulcher, as well as a rogue Firefox browser extension known as FriarFox.
Follina, a high-severity security issue identified as CVE-2022-30190 (CVSS score: 7.8), is a case of remote code execution that exploits the “ms-msdt:” protocol URI scheme to execute arbitrary code.
The approach specifically allows threat actors to bypass Protected View protections for suspicious files by simply converting the document to a Rich Text Format (RTF) file, allowing the injected code to be executed without ever accessing the document via the Preview Pane in Windows File Explorer.
While the problem received extensive notice this week, evidence suggests that it was actively used in real-world assaults targeting Russian users more than a month ago, on April 12, 2022, when it was revealed to Microsoft.
However, the firm did not consider it a security concern and closed the vulnerability submission report, noting the fact that the MSDT utility required a passkey given by a support specialist before it could execute payloads.
The vulnerability occurs in all presently supported Windows systems and may be exploited using Microsoft Office 2013 through Office 21 and Office Professional Plus editions.
“This ingenious approach is meant to avoid detection by exploiting Microsoft Office’s remote template capability and the ms-msdt protocol to execute malicious code, all without the need for macros,” Malwarebytes’ Jerome Segura explained.
Although no official fix is currently available, Microsoft recommends deactivating the MSDT URL protocol to prevent the attack vector. It’s also a good idea to disable the Preview Pane in File Explorer.
“What distinguishes ‘Follina’ is that it does not rely on Office macros and hence works even in circumstances where macros have been removed totally,” Immersive Labs’ Nikolas Cemerikic explained.
“The exploit requires just that the user open and read the Word document, or see a preview of the document using the Windows Explorer Preview Pane. Because the latter does not need the entire launch of Word, this practically becomes a zero-click attack.”
Have you enjoyed reading this article? To read more exclusive material from THN, follow us on Facebook. Chinese hackers exploit the latest Microsoft Office vulnerability.