Published on May 31, 2022

Threat Analysis: MSDT Exploit with maldocs

Defend against latest MSDT Exploit (CVE-2022-30190)

A vulnerability recently disclosed in the Microsoft Support Diagnostic Tool (msdt), CVE-2022-30190, allows for malicious Microsoft Office documents to execute arbitrary code without the use of macros and while bypassing detection of many EDR platforms. The vulnerability has been exploited in the wild for at least a month as discovered by security researchers analyzing malicious documents uploaded to public sandbox environments. Currently, there are no software updates specific to resolving the vulnerability. Fortunately, ReaQta will alert on successful execution of the exploit due to the anomalous behavior in the affected Microsoft Office application.

Malicious documents exploiting CVE-2022-30190 had first been observed by security researchers in April with the vulnerability reported to Microsoft, but at the time was not deemed a problem by Microsoft. On 27 May, a malicious document exploiting CVE-2022-30190 was uploaded to VirusTotal then identified by the security researcher, “nao_sec”, publicly on Twitter. Another security researcher, Kevin Beaumont, published an analysis on the vulnerability and dubbed the vulnerability “Follina”. Currently, multiple proof of concept exploits are publicly available.

As Microsoft announced blocking Office macros by default in files retrieved from the Internet earlier this year, threat actors have shifted to new techniques for initial infection of malicious tools. Exploiting CVE-2022-30190 reflects one such technique. Using the remote template feature of Office documents, a threat actor will invoke the msdt application via the URL protocol. Arbitrary code following the call to msdt will then be executed with privileges of the calling application. This technique can also be used with Rich Text Format (rtf) documents by passing the need for the Microsoft Office suite installed on the endpoint with the exploit running upon the rtf document being previewed in Microsoft Explorer.

While the vulnerability was not widely known until 30 May, ReaQta protected its users as the anomalous behavior of the Microsoft Office was immediately detected.

An analyst investigating the Hive alert would also see all post-exploitation activity of the malicious document.

With the above detection in ReaQta’s Hive, a rtf document was previewed in Explorer on the endpoint initiating the exploit. 

CVE-2022-30190 provides threat actors with a trivial exploit that negates the need for much user interaction. For most documents, a user would only need to open the document with no observable malicious behavior following or, in the case of rtf documents, without the Microsoft Office suite installed simply previewing the document in Explorer. For its ease of use and minimal user interaction, CVE-2022-30190 will likely grow in adoption by threat actors thus endpoint users of unprotected systems will face growing threats.

As there is currently no security patch, Microsoft advised users in a 30 May advisory to disable use of the MSDT URL protocol by deleting the registry key HKEY_CLASSES_ROOT\ms-msdt. Additional mitigation measures can include disabling the preview pane in Microsoft Explorer. While many Microsoft Office users are vulnerable to CVE-2022-30190, not all versions of Microsoft Office appear vulnerable but no authoritative list of affected versions has been published by Microsoft yet. Until a security patch is available, users of ReaQta will still be protected as successful exploitation will trigger an alert in real-time.

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.