A few days ago, the security researcher known as “nao_sec” reported the detection of a file specially crafted Word document to exploit a zero-day vulnerability in Microsoft Office that would allow the execution of arbitrary code just when opening a malicious file.
This malware, loaded from Belarus to the VirusTotal platform, was analyzed by expert Kevin Beaumont, who reports that this document uses Word’s remote template function to retrieve an HTML file from a remote web server that uses MSProtocol ms-msdt to load code and execute PowerShell code.
Beaumont mentions that the code runs regardless of whether macros are disabled on the target system, not to mention that Microsoft Defender can’t seem to prevent the attack: “Although the protected view is activated if you change the document to RTF format, the malicious code will run without even opening the document.”
The flaw was dubbed “Follina,” as a nod to the malicious file referencing 0438, the area code of a small Italian town. The researcher, and other members of the cybersecurity community, confirmed that the known exploit allows remote code to run on some versions of Windows and Office, including Office Pro Plus, Office 2013, Office 2016, and Office 2021.
The exploit doesn’t appear to work in recent versions of Office and in Windows Insider deployments, which could mean Microsoft is already working to address this issue. Beaumont also believes that the exploit could work on these versions with some modifications.
A hacking group hosted a web domain on Namecheap to use as a C&C server; the hosting company quickly shut down this website. The cybersecurity community has proposed some mitigation mechanisms, so a wave of active exploitation is very unlikely.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.