Maldocs Are Evolving

Unless you have been living under an infosec rock the past couple of weeks, you probably heard about the Follina exploit, which allows attackers to achieve remote code execution via ms-msdt. We will get to some more specifics about exactly how Follina works in a minute, but I want to take a look at what may have contributed to the rise of this technique and look at if we should expect more of this style of attack in the future.

Office documents have a long history of being used by attackers as the initial infection method. In fact, they were still one of the primary methods of delivery according to this year’s DBIR, but crucially this year, Microsoft made a major announcement about how they would handle macros from the internet. They would start blocking them by default.

For years, Microsoft has been stepping up security on Macros adding a number of warnings for users that they have to click through, but they still remained a popular attack vector as it was pretty easy to craft lures that would entice the user to click through those warnings. Microsoft finally took the final step of simply blocking them by default (Although I suspect that many organizations will just re-enable them, but that’s a discussion for another day).

So with one of attacker’s favorite attack vectors hamstrung, is it any surprise that an alternative attack was seen within 3 months of the announcement? Now I don’t have any direct threat intel to prove that connection, but it seems too unlikely to be a coincidence. Follina also shares some similarities with a much older attack technique known as Template Injection, which has been around since at least 2017. This attack involves modifying a benign word document to open and load a new remote template pulled down from an attacker-controlled server that then loads and executes a malicious macro. This allows an attacker to send an email with a benign document attached and then load code at runtime after it has passed through a victim’s email filters and other defensive mechanisms and allows for the less suspicious .docx extension.

This is possible because Office documents are really just a specially crafted zip archive. If you unzip a word file and then go into the folder, it will look like this:

I am skipping a few precursor steps, but there are a bunch of different files inside this archive and for the purpose of template injection, you only need to modify one file .\<Doc>\word\_rels\setings.xml.rels. At which point you can modify the attached Template entry to point to a remote malicious template:

So why talk about all this? Well, Follina starts the entire chain off through the same principle of modifying a file within the zip archive to point to a remote resource. However, it points to a remote HTML file instead of pointing to a word template. This is achieved by modifying the .\<Doc>\word\_rels\document.xml.rels file instead. After that, there are some constraints that the HTML file must follow in order to achieve the code execution. John Hammond posted an excellent walk-through.

Follina is related to a technique that has been around for a long time, so why did it take so long to be exploited? First, it turns out that the ms-msdt attack path was actually published all the way back in 2020. After posting his initial blog post about Folina, Kevin Beaumont was able to find a bachelor’s thesis published in 2020 that identified the issue along with several other URI schemes that could be used as well. Second, I would argue that it wasn’t until recently that Microsoft made it challenging enough for attackers to execute macros that they started moving on to more exotic attack methods. Macros are easy to write and reliable, not to mention that breaking signatures for them is not hard. It also turns out that the Office URI scheme appears to be an extensive attack surface. As researchers and attackers dig more into this, I expect to see more of these styles. Not to mention other means of circumventing the lockdown on macros through things like using container file types such as isos and zips. The maldoc may be evolving, but it’s a long way from dead.

Here’s a video of using an Empire implant as the Follina payload. With available POCs such as this one, it’s very easy to utilize this with pretty much any C2 framework. It’s no wonder that within a few days of the exploit being published we started seeing it utilized in the wild. Fortunately, Microsoft finally released a patch this past Tuesday.