Banking Trojan uses critical flaw in Windows

You will also be interested

[EN VIDÉO] How to add check boxes in Word?
Find out how to create check boxes in Word with this new technical tutorial from Futura. © Futura

The Follina “zero day” error is gaining traction. This bug, reported at the end of May, under the reference CVE-2022-30190, allows the use of a Word document to launch PowerShell commands, even if macros are deactivated.

Now a group of hackers known as TA570 is taking advantage of the flaw to banking trojan Qbot. This is specialized in theft of personal and bank data. Victims receive an email with a file HTML as an attachment. This will download a compressed ZIP folder that contains a disk image (IMG file) that finally contains a Word file, a DLL file, and a shortcut. That is it become document which installs the Qbot malware.

Attacks on the government and the Tibetan diaspora

This isn’t the only attack that exploits the Follina flaw. Last week, the company discovered Proofpoint phishing attacks targeting various members of the government in Europe and the United States. They received an email promising them a raise with an attached RTF file that installs data-stealing malware in browsers…” data-url=” -3986 /” data-more=”Read more”>browsers and software messages. According to Proofpoint, the group of chinese hacker TA413 APT is also reportedly using the flaw to attack the Tibetan diaspora using similar methods.

Currently, Microsoft still haven’t released a patch. on his siteMicrosoft recommends disabling the MSDT protocol to prevent the utility from starting. diagnostic used in the Follina Rift. For this, the company indicates that you must first save, then delete the entire key HKEY_CLASSES_ROOT\ms-msdt in the Windows registry.

How Hackers Can Take Control Once a Word File Is Opened

A new flaw has been discovered in Microsoft Word that could allow a hacker to take control of a computer with a simple document, without using macros. Called Follina, the bug even allows the code to be run without opening the document by the user thanks to the file explorer preview.

Article byEdward Backpublished on 01/06/2022

By now, almost everyone has heard that macros can be dangerous in Microsoft Word. After all, the software blocks them by default and displays a warning banner. However, this is not the only way to use the software to infect a computer† on Twitteruser @nao_sec shared discovered malicious code in a document Word.

This code uses an error called Follina. She is categorized as zero day », In other words, already exploited by hackers and without an update (Microsoft has “zero days” to release a patch). @nao_sec happened to see the code in question on the Virus Total site while searching for documents with a different error. An internet user in Belarus allegedly sent the document in question to the site to check if it was detected by the various antiviruses.

A code hidden in base 64

The code uses the software’s external template function to load an HTML file from a servant† This then hijacks the Microsoft Support Diagnostic Tool (MSDT) to load a file and run PowerShell commands. And this, even if macros are deactivated. The code author used the same technique as detected on some websites to hide problematic commands: they are converted to base 64 and decoded at runtime.

The researchers do not know what the exact intention of the author was, as the second file is no longer available. However, once it succeeds in executing PowerShell commands, it can potentially take full control of the computer and attack other machines on the computer. local network

Follina in particular is problematic. By default, Word opens .docx files in Protected View. The code will then only be executed if the user clicks “Enable change”. However, if it is in .rtf format, this protection is not activated. In addition, in this case it is enough to select it in the file explorer, without opening it, to run the code.

A demonstration of how Follina works on an updated version of Office 2021. © Didier Stevens

A report rejected by Microsoft as early as April

The code works on all versions of Microsoft Office since at least 2013, including Office 2021, even with all updates. It turns out that the problem was already reported to Microsoft in April by Shadow Chaser Group, a team of students chasing chasms. A man named John, from Microsoft Security Response Center (MSRC), was then pleased to say that it was not a security issue, and that the submitted sample did not work on his computer. Microsoft appears to have changed its mind as the company registered the error on May 30 under the reference CVE-2022-30190.

Currently there is no easy way to protect yourself from this attack. While waiting for an update, the most common solution seems to be editing the registry to prevent the diagnostic tool from launching from Word. To do this, we need to create value Enable diagnostics in HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics and put it on 0

But be aware, this solution is reserved for advanced users. Any mistake in modifying the registry can damage the system and prevent the computer from booting.

Interested in what you just read?

Leave a Reply

Your email address will not be published.