Season 2, EP 7

Hunting Follina

September 7, 2022 | Paul Roberts

We chatted with ReversingLabs Malware Researcher Joseph Edwards about his research on the Follina Exploit.

EPISODE TRANSCRIPT

PAUL ROBERTS
Hey everybody, welcome back to another episode of ConversingLabs podcast. This is ReversingLabs' podcast focused on threat intelligence, threat research, and software assurance. We're here with the best thinkers, researchers, minds in cybersecurity. And back with us today for another discussion is Joseph Edwards. Joseph is a threat analyst here at ReversingLabs. Joseph, welcome back.

JOSEPH EDWARDS
Good, thank you for having me again, Paul.

PAUL ROBERTS
So Joseph, we had you back into the studio to talk about some research that you did that we published on the ReversingLabs blog, taking a look at how the Follina exploit in this Microsoft application. Microsoft Diagnostic tool is being used to deliver malicious payloads online and you looked at kind of some of the different ways in which Follina is being used. This is a fairly recent remotely exploitable vulnerability that was discovered, it was discovered in May, patched in June by Microsoft. I think probably a good place to start is what is Follina and why is it so dangerous?

JOSEPH EDWARDS
The CVE-2022-31-90, it's nicknamed Follina and we'll refer to it as Follina just because it's less of a mouthful. 

PAUL ROBERTS
Which is interesting actually, do you know why it's called Follina?

JOSEPH EDWARDS
Is it Italian for mouthful?

PAUL ROBERTS
No, I think there's a digit, there's a sequence of digits in the malware that is basically the postal code for Follina, Italy, which is a community in Torito, Italy or something. And so somebody made a connection between that digit sequence and Follina and that's why it's called Follina. It's a weird little sequence, 31051.

JOSEPH EDWARDS
I don't know if that is necessarily something I've seen. 

PAUL ROBERTS
But while this seems interesting, the name is not so important. Names come... An executable file called 05-2022-04-38, it's the dialing, not the area code, not the postal code, 0438 if the dialing number for Follina. So while it's a clever name, it actually has nothing to do with the vulnerability. There we go. Area code, not the postal code. My bad. Okay, maybe they should start looking at like astrological signs for naming malware.

JOSEPH EDWARDS
Yeah, I mean, when it's an exploit, there's thousands of exploits every year. It's difficult to make them stand out.

PAUL ROBERTS
It is. There are only so many heart bleeds out there. Right. So first question, Joseph, this Follina exploit that you analyze, again, it's being used to deliver all kinds of malware. What is this vulnerability, this remotely exploitable vulnerability in and why is it so serious? It's fairly recently discovered, I think. In May, Microsoft patched it in June. Why is it everywhere now?

JOSEPH EDWARDS
The Follina exploit, also known as CVE-2022-30190, it's basically a vulnerability in the Microsoft Support Diagnostic tool, which is that little pop up window when you are trying to open up a file, but it's not a recognized file format. So Microsoft wants to know what program you want to use to open it. Basically you can specify on the command line a bunch of parameters that you want a certain file to be executed in. And supplying those parameters is where we have a vulnerability where PowerShell commands can actually be executed under MSDT. So the way we've seen it being exploited is you will have an open XML or Office document or rich text format (RTF) document, and they embed OLE objects that's object linking and embedding. So this embedded OLE object is embedded as most of the files that I saw, they were embedded as relations. So you'll go into your Office document and you'll have relations either locally, so you could have like an image in your Word document described in the relations, or in this case we noticed that the malicious documents were having external relations that were defined as OLE objects. Basically automatically when you open the Word document without enabling macros, you have a link to an externally hosted HTML file. So this document links to an HTML file object, and this HTML file actually has a JavaScript payload, and that JavaScript payload actually triggers the MSDT protocol handler and it passes to that protocol handler encoded PowerShell commands. So that is what we saw across the samples that I found during this research. I will say that it's not necessarily the way it needs to be exploited. There are other potential ways of exploiting this, but we can see that the proof of concept and all of the sort of tooling that has been developed around exploiting this vulnerability is trying to place the vulnerability in with existing attack technologies like phishing documents. You don't necessarily need to exploit it with this method of Word document to HTML file containing JavaScript and PowerShell, but because of the way it's being exploited, that's the way I needed to hunt it. For this research you have stage one, which is either an XML document or RTF or Microsoft Word document, and then you have stage two, which is the HTML containing the JavaScript containing the PowerShell.

PAUL ROBERTS
So you're researcher at ReversingLabs, you obviously have access to the Titanium, the file lake of billions of malware files. How do you find these particular examples of this Follina exploit being used? What are you looking for?

JOSEPH EDWARDS
Sure, in this case it wasn't very difficult to hunt for the two stages. I did have two separate YARA signatures. YARA is definitely the tool of choice for hunting for me, and in this case, the signatures that I needed to make were plain text. It wasn't that I needed to make signatures based on assembly code. And that's one thing that makes this exploit interesting is the barrier to entry is pretty low. Even before people were making proofs of concepts and tools that could embed a certain URL or PowerShell into these Word documents in HTML, before that point it was very clear that you could take a template of XML and put in literally the characters that were used to embed this OLE object. You could do this in a text editor. So the things that I were looking for were plain text. There are strings involved with embedding an OLE object in an XML file. So OLE object is what I was looking for. I was looking for an external target, externally hosted HTML file. It didn't necessarily have to be HTML, so I made sure my search was broad enough to try to get outliers, to try to get the few people who would modify the proof of concept to evade automatic detection. So there was one signature based on the XML file embedding an external Ole object, and then there was another signature based on the HTML file itself, because the commands that were passed to MSDT, the parameters based on skipping any type of human interaction and passing this encoded PowerShell in, they had to employ certain parameters. And we saw that basically every HTML file that exploited Follina used these parameters.

PAUL ROBERTS
And from an attacker standpoint, this is a very useful exploit, like you said, because it's easy to leverage, it doesn't require you to authenticate, right? You basically can pass it to your victim, and you don't need any additional interaction from an attacker standpoint to run your malicious code on their system. And it's also leveraging something that my guess is basically a standard component of all modern Windows systems, right?

JOSEPH EDWARDS
Definitely.

PAUL ROBERTS
Yeah, so that's attractive for attackers. You know, it's there, you know the vulnerability exists unless it's been patched, and you don't need any user and passwords to execute your code.

JOSEPH EDWARDS
Exactly.

PAUL ROBERTS
Talk about what some of the methodologies you saw in the samples that you found online of these exploits for how Follina was being used specifically to gain control over these victim systems. You found a bunch of different kind of methodologies at work.

JOSEPH EDWARDS
The samples that I chose were interesting because once I ruled out the false positives and the sort of proof of concept files that people had uploaded to various repositories, we had a couple that were very interesting. One of them that stood out to me was curious because the encoded PowerShell commands, once you decode them, they force the user to mount an external share as a network share. So there's an IP address, and this IP address had WebDAV, which is basically a file share, and it used the net use command on the victim to mount as a local network share. The victim logs in with the provided user and password. So this makes it difficult for automated tools to get that payload out without the username and password. And so you can see that the attacker was trying to hide those payloads even though they are publicly available. You get into this encoded PowerShell, you decrypt it, and the username and password are right there. But if you don't have that information, it's difficult for you to recover those payloads. And so I, in the course of doing research on this sample, manually extracted those payloads from their server using the provided username and password and found that they had a very interesting Cobalt Strike sample that used some interesting obfuscation and evasion methods.

PAUL ROBERTS
And Cobalt Strike is really common, persistent access tool, right, that's used in a lot of APT attacks and so on to facilitate access to victim networks. Talk about what it means to find Cobalt Strike being used in association with this particular, these Follina attacks.

JOSEPH EDWARDS
So, Cobalt Strike is a very well known post exploitation framework. Once you have some kind of foothold on some type of victim service and you want more capabilities like additional persistence, lateral movement, injecting into other processes to avoid detection, Cobalt Strike can do all of these things, and it's a very commonly used tool for both Red Team operators and malware operators. So it is definitely an indication of more intent than just something like a cryptominer or any other method of just having a foothold on a computer. If you want to hijack the resources of one computer, Cobalt Strike usually shows that you want further access into systems.

PAUL ROBERTS
One of the interesting things you found as well is that the attackers were doing payload obfuscation using Syscalls, which you said is a way to avoid API monitoring. And that was a fairly you don't see that used that frequently. Can you just talk about that strategy and what that says about, I guess, the awareness of attackers of the different types of detection capabilities that they may encounter?

JOSEPH EDWARDS
This was definitely a very interesting technique to see because typically you have, I would say, entry level malware where they're not hiding any of their APIs, right. If they're attempting to inject a process, they're going to open the process handle using the open process API, attempt to use the right process memory API. You'll see these in your sandbox, you'll see them when you run the malware, and you're using API monitoring tools, and the EDRs will see them when they are hooking these modules, basically watching for those API calls. And in this case, in order to avoid that, the malware actually passes a hash of the API it's going to use to a specific function and that function passes a value to syscall. It's one of the lowest level ways in which you can invoke a function. And this can bypass a lot of the API hooking or API monitoring. It won't show up in your sandbox as having executed these APIs unless you are also enumerating syscalls and getting information and introspection on syscalls, which is not something that is super common for sandboxes. So it was very interesting to see and then attempting to hunt for more samples, I realized that it is a pretty rare technique.

PAUL ROBERTS
So revealing a certain degree of sophistication in this particular instance with the Follina exploit, if they're again worried about API monitoring, shows a level of kind of awareness and maybe infer something about potential victims for these as well, right?

JOSEPH EDWARDS
Right. Between the username and password access required to retrieve the payloads and the amount of obfuscation they put into the sample. I would say that they were very concerned about not burning their samples, as it were, or not allowing their samples to be easily found. And even though this was an open source sample and it's not one of our private samples to where this was associated with a specific customer. Even if this were a sample that was allowed out in the wild in order to test how quickly malware researchers respond to it. It does show a certain level of sophistication and perhaps they are planning to use a similar technique in a larger campaign.

PAUL ROBERTS
I mean. One of the things that you discovered is that this Follina exploit is really powerful enough that a skilled attacker could really leverage it and kind of live off the land tools like PowerShell and so on, really without needing to place malware. An external malware program in the environment to get what they wanted, which is credentials access and so on. That this could really be a way of really sort of level up the living off the land attacks using this Follina exploit. Is that what you think really we are going to see at least amongst those organizations that fail to patch this?

JOSEPH EDWARDS
Yeah, and I definitely agree with that. I think the use of PowerShell commandlets, especially in one of the other samples that I had where the final payload was mostly PowerShell, I think it's definitely very interesting how often PowerShell can be reflectively loaded into processes to avoid dropping artifacts to disk. Things that happen only in memory basically mostly EDR, enterprise detection response agents and some of the next gen AVs are doing enough memory scanning to detect PowerShell in memory. But hiding artifacts from the disk and living off the land are definitely techniques we see from advanced attackers and it's definitely much more difficult for defenders to distinguish the stages as well when everything happens in memory.

PAUL ROBERTS
Right, and you noted actually that they were using in one of the exploit chains that you analyzed, they were using, they were invoking the Mimicats kind of credential stealing tool also in memory. So able to harvest credentials directly from memory without needing to write to disk again, another way to sort of avoid detection or avoid arousing the suspicion of endpoint detection programs as well.

JOSEPH EDWARDS
Yes, it was definitely interesting to see that the threat actor that was using the PowerShell payloads kind of chained together an exploit chain too, they were very explicit in this PowerShell script about what credentials they were trying to extract from the various browsers, what information they were trying to extract from the host. It's all kind of there in plain text and their method for exfiltrating it using zip files, the way they persist using scheduled tasks and then of course, as you said, the way that they use, invoke Mimicats, which is a tool that is already written, it's already out there in the wild. They had a reflectively loaded version of it. So they were able to not drop it to disk, they were able to download and execute it in memory. There wasn't a lot of customization of some of these tools like invoke Mimicats. So it's definitely interesting to see that with the help of just some PowerShell knowledge, threat actors can make the most of the Follina exploit.

PAUL ROBERTS
So what should organizations out there do to prepare for this? Obviously first recommendation is apply the patch that Microsoft release in June for the Follina exploit and apply that to any affected systems. We know that many organizations are slow to do that. What are some things that they can do? Both to remediate the risk Follina poses and also to monitor their environment for telltale signs that Follina might be used against them?

JOSEPH EDWARDS
On the patching/vulnerability workaround side of things, of course, patch management can be a difficult process, but researchers have recommended, and I think I also recommend disabling the MSDT protocol handler. There are a lot of different protocol handlers in Windows and not a lot of them have gotten a lot of security research. So there's a lot that kind of go unused and undocumented and disabling that protocol handler via group policy could be a good workaround. In the meantime, while getting that patch deployed, as far as detection, there has been a little bit of study of the registry keys and logs that can show Follina exploitation. I won't get into the weeds on the registry right now...

PAUL ROBERTS
It's in your post.

JOSEPH EDWARDS
Right, for incident responders and digital forensics analysts there are signs of exploitation and it's just as easy for any Blue Teamer or defender to run one of these very light exploits on a virtual machine and see the changes that happen when that request goes out from that Word document.

PAUL ROBERTS
I mean, it's really interesting to me when you look at this MSDT tool and you're like so this is like something that gets invoked when they've got some file that they don't know how to execute or what to open with. You'd think that that would have been an application or a function that got a lot of attention from within Microsoft for their own kind of Red Team or Pentesting team given how it works, right? And yet there was this remotely exploitable vulnerability. I wonder if we're going to see either more investigation by malicious actors into these types of protocol handlers within Windows or more investigation into MSDT going forward, given what we've seen just in the last month.

JOSEPH EDWARDS
Yes, a lot of things come to mind because for the cybersecurity industry it seems like vulnerabilities are coming out every day and everything is new. But as far as this, like you said at the beginning, the MSDT tool has been in Microsoft for a very long time. And I was looking on Twitter and seeing that some of the more veteran older defenders were sort of pointing out these protocols, these protocol handlers aren't new they've been around, and exploits have been theorized. It's really about how easy it is for an attacker to go from that theory to practice. And so, as somebody who's interested in file format exploits, and all types of ways that you can wrap a file in order to confuse the execution, I can see it being very difficult to deal with a protocol handler like that, that has to recognize a bunch of different files and make the correct determination. So I would expect to see a lot more scrutiny on this protocol and other protocol handlers.

PAUL ROBERTS
Yes. And this is something we're seeing a lot. I mean, we're seeing it with active directory, too, right, which is we've got a lot of technology debt out there. We've got a lot of legacy code. It's been around for a couple of decades. It's still incredibly widely used, but is showing its age in some ways, right? And yet, moving off of these platforms, whether it's AD or something else, is easier said than done, so we need to find a way to deal with it in the meantime.

JOSEPH EDWARDS
Definitely.

PAUL ROBERTS
Hey, Joseph Edwards, thanks so much for coming back and speaking to us again on ConversingLabs podcast. It's been great speaking with you.

JOSEPH EDWARDS
My pleasure.

PAUL ROBERTS
We'll do it again.

Paul Roberts

About Author: Paul Roberts

Content Lead at ReversingLabs. Paul is a reporter, editor and industry analyst with 20 years’ experience covering the cybersecurity space. He is the founder and editor in chief at The Security Ledger, a cybersecurity news website. His writing about cyber security has appeared in publications including Forbes, The Christian Science Monitor, MIT Technology Review, The Economist Intelligence Unit, CIO Magazine, ZDNet and Fortune Small Business. He has appeared on NPR’s Marketplace Tech Report, KPCC AirTalk, Fox News Tech Take, Al Jazeera and The Oprah Show.

Related episodes

Subscribe

Sign up now to receive the latest weekly
news from ReveringLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company.

REQUEST A DEMO