Banking Trojan uses critical flaw in Windows

The Follina “zero day” fault is gaining momentum. Reported at the end of May, this flaw, under the reference CVE-2022-30190, allows the use of a Word document to launch PowerShell commands, even if macros are deactivated.

Now, a group of hackers known as TA570 is taking advantage of the flaw to spread the banking trojan Qbot. This one specializes in the theft of personal and banking data. Victims receive an email with a file HTML as an attachment. This downloads a ZIP compressed folder containing a disk image (IMG file) which finally includes a Word file, a DLL file and a shortcut. It’s that word document which installs the Qbot malware.

Attacks on the government and the Tibetan diaspora

This isn’t the only attack to exploit the Follina flaw. Last week, the company Proofpoint detected phishing attacks targeting several members of governments in Europe and the United States. They received an e-mail promising them a raise with an attached RTF file that installs data-stealing malware in their computers. browsers and software messaging. According to Proofpoint, the group of chinese hacker TA413 APT is also reportedly using the flaw to target the Tibetan diaspora with similar methods.

At present, Microsoft still haven’t released a patch. On his siteMicrosoft recommends disabling the MSDT protocol to prevent the tool from launching. diagnostic used in the Follina Rift. For this, the firm indicates that you must first save, then delete the entire key HKEY_CLASSES_ROOTms-msdt in the Windows registry.

How hackers can take control as soon as a Word file is opened

A new flaw has been discovered in Microsoft Word through which a hacker can take control of a computer with a simple document, without using macros. Called Follina, the flaw even makes it possible to launch the code without the document being opened by the user thanks to the preview of the file explorer.

Article ofEdward Backpublished on 01/06/2022

By now almost everyone has heard that macros can be dangerous in Microsoft Word. After all, the software blocks them by default and displays a warning banner. However, this is not the only way to use the software to infect a computer. On Twitteruser @nao_sec shared discovered malicious code in a document Word.

This code uses a flaw called Follina. She is categorized as zero day », In other words, already exploited by hackers and without an update (Microsoft has “zero days” to release a patch). @nao_sec noticed the code in question by chance on the Virus Total site while searching for documents using another vulnerability. An Internet user located in Belarus would have submitted the document in question to the site in order to check whether it was detected by the various antiviruses.

A code hidden in base 64

The code uses the software’s remote template feature to load an HTML file from a waiter. This then hijacks the Microsoft Support Diagnostic Tool (MSDT) to load a file and run PowerShell commands. And this, even if macros are deactivated. The author of the code used the same technique as detected on some websites to conceal problematic commands: they are converted to base 64, and decoded at runtime.

The researchers do not know what the author’s exact purpose was, since the second file is no longer available. However, from the moment it manages to execute PowerShell commands, it can potentially take full control of the computer and attack other machines on the local network.

Follina is particularly problematic. By default, Word opens .docx files in Protected View. The code is then executed only if the user clicks on “Enable modification”. However, if it is in .rtf format, this protection is not activated. Moreover, in this case, it suffices to select it in the file explorer, without opening it, for the code to be executed.

A report already refused by Microsoft in April

The code works on all versions of Microsoft Office since at least 2013, including Office 2021, even with all updates. It turns out that the problem had already been reported to Microsoft in April by Shadow Chaser Group, a team of students chasing rifts. A man named John, of Microsoft Security Response Center (MSRC), was then content to say that it was not a security issue, and that the submitted sample did not work on his computer. Microsoft seems to have changed its mind, since on May 30 the firm registered the flaw under the reference CVE-2022-30190.

Currently, there is no easy way to protect against this attack. While waiting for an update, the most common solution seems to edit the registry to prevent the launch of the diagnostic tool from Word. To do this, we must create value EnableDiagnostics in HKLMSOFTWAREPoliciesMicrosoftWindowsScriptedDiagnostics and put it to 0.

But beware, this solution is reserved for advanced users. Any error in modifying the registry could damage the system and prevent the computer from starting.