An unofficial security patch has been made available for a new zero-day Windows vulnerability in Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild.
The problem — referenced as dog walk — relates to a path traversal flaw that can be exploited to hide a malicious executable file in the Windows startup folder when a potential target opens a specially crafted “.diagcab” archive file that contains a configuration file of diagnosis.
The idea is that the payload would be executed the next time the victim logs into the system after a reboot. The vulnerability affects all versions of Windows, starting from Windows 7 and Server Server 2008 until the latest versions.
DogWalk was originally leaked by security researcher Imre Rad in January 2020 after Microsoft, after acknowledging the issue, deemed it not to be a security issue.
“There are a number of file types that can run code in this way but are technically not ‘executables,'” the tech giant said at the time. “And a number of them are considered unsafe for users to download/receive via email, even ‘.diagcab’ is blocked by default in Outlook on the web and elsewhere.”
While all files downloaded and received via email include a Mark-of-the-Web (MOTW) tag which is used to determine their origin and trigger an appropriate security response, 0patch’s Mitja Kolsek noted that the application MSDT is not designed to check this flag and therefore allows the .diagcab file to be opened without warning.
“Outlook isn’t the only delivery vehicle: this file is happily downloaded by all major browsers, including Microsoft Edge, by simply visiting (!) a website, and all it takes is a single click (or wrong click) in the browser’s download list to have it opened,” Kolsek said.
“No warnings are displayed in the process, unlike downloading and opening any other file known to be able to run [the] attacker’s code.”
patches and renewed interest in the zero-day bug, track active exploitation of the “Follina” remote code execution vulnerability by exploiting Word documents containing malware that abuses the “ms-msdt:” protocol URI scheme.
According to enterprise security firm Proofpoint, the flaw (CVE-2022-30190, CVSS score: 7.8) is weaponized by a malicious actor tracked as TA570 to deliver the QBot information-stealing Trojan ( aka Qakbot).
“The actor uses hijacked threaded messages with HTML attachments which, if opened, drop a ZIP archive,” the company said. said in a series of tweets detailing the phishing attacks.
“The archive contains an IMG with a Word document, a shortcut file and a DLL. The LNK will run the DLL to start QBot. The document will load and run an HTML file containing PowerShell abusing CVE-2022-30190 used to download and run QBot.”
QBot has also been used by initial access brokers to gain initial access to target networks, allowing ransomware affiliates to abuse the foothold to deploy file-encrypting malware.
The DFIR report earlier this year also documented how QBot infections move at a rapid pace, allowing the malware to harvest browser data and Outlook emails just 30 minutes after initial access. and propagate the payload to an adjacent workstation around the 50 minute mark. .