Nao_Sec cybersecurity researchers state the “odd-looking” MS Word document was uploaded on VirusTotal from a Belarus IP address.
Independent cybersecurity research group Nao_Sec has revealed startling details of a new zero-day vulnerability identified in Microsoft Office. Dubbed Follina; researchers claim this flaw can be exploited in the wild, researchers noted.
According to researchers, the flaw is named so because of the reference 0438 in the malicious sample, the area code of a municipality in Treviso, Italy, called Follina.
How Was the Flaw Discovered?
On May 27th, a Nao_Sec researcher posted on Twitter about discovering an odd-looking Word file titled 05-2022-0438.doc uploaded to VirusTotal from a Belarus-based IP address. The team, including researcher Kevin Beaumont, then started examining the malware.
Details of the Vulnerability
Further probe revealed that the zero-day could be abused to accomplish arbitrary code execution on vulnerable devices running Windows OS. On their Twitter handle, Nao_Sec researchers explained in the blog post the attackers used MS Word’s external link for loading the HTML and later used the ‘ms-msdt’ scheme for executing PowerShell code.
“The document uses the Word remote template feature to retrieve a HTML file from a remote web server, which in turn uses the ms-msdt MSProtocol URI scheme