SOC 173 - Follina 0-Day Detection
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability, CVE-2022-30190
Last updated
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability, CVE-2022-30190
Last updated
Severity: Medium
EventID : 123
Event Time : Jun, 02, 2022, 03:22 PM
Rule : SOC173 - Follina 0-Day Detected
Level : Security Analyst
Source Address : 172.16.17.39
Hostname : JonasPRD
File Name : 05-2022-0438.doc
File Hash : 52945af1def85b171870b31fa4782e52
File Size : 10.01 Kb
AV Action : Allowed
Alert Trigger Reason : msdt.exe executed after Office document
With the provided alert details, we can see that the AV Action says "Allowed", indicating that no remediation took place.
Next we'll take a look at the hash of the file that triggered this alert, which is 52945af1def85b171870b31fa4782e52 in order to give us an idea of how malicious the file claims to be.
First, we'll check the hash in VirusTotal.
We've confirmed that the file is indeed malicious, as seen from the VirusTotal results. We can also see that in the tags, it has CVE-2022-30190 , which is the RCE vulnerability called "Follina" associated with Microsoft Office products.
Now we'll want to find out how exactly this piece of malware made it on to the system. With that in mind, we'll look at the host, JonasPRD. One of the ways we can approach this is to search for the file "05-2022-0438.doc" . Surely enough, we found that it originated from an email.
Now that we have the file, and a case of phishing. We'll want to perform malware analysis. To automate and simplify this portion, we'll use a free sandbox such as AnyRun to perform a dynamic analysis of the file
After submitting the file and conducting dynamic analysis, we see that the sandbox detected that the vulnerability was detected upon detonation of the file. We can also see that there was a DNS request to xmlformats[.]com. (Optional) we can also run this website through VirusTotal to see its reputation score for additional evidence to put in our analysis
We can also check internet traffic to see if it communicated with the malicious domain. If we look back at the host details, we can look at its IP address and see that it indeed communicated with xmlformats[.]com, which resolved to the destination IP address 142[.]105[.]65[.]149.
Pivoting to host process, we can see that it exhibited some sketchy behavior as well
Now that we confirmed that this is a true positive, we can contain this host to prevent further infection of other devices in the network, as well as severing its existing connection.
Hash: 52945af1def85b171870b31fa4782e52
Filename: 05-2022-0438.doc
Email: radiosputnik[@]ria[.]ru
Domain: xmlformats[.]com
An alert was received upon detection of behaviors associated with the Follina Zero-Day Vulnerability. The malicious file was delivered via email from the malicious sender radiosputnik[@]ria[.]ru disguised as an interview request with a document attachment. The user opened the document and the host became compromised, communicating to a malicious C2 server. The SOC was able to contain the host to prevent lateral movement within the network and sever its current connection to the malicious IP. IOCs were collected and added to threat intelligence to prevent future attacks.
https://www.hackthebox.com/blog/cve-2022-30190-follina-explained - Follina Zero-Day
https://any.run/ - Free dynamic sandbox analysis
https://www.virustotal.com/ - Free analysis of files, URLs, IPs
