An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even though the Follina flaw is still exploited in the wild.
The issue – referred to as DogWalk – relates to a pathtraversal error that can be exploited by exploiting a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted “.diagcab” archive file that contains a diagnostic configuration file.
The idea is that the payload will be executed the next time the victim logs into the system after a reboot. The vulnerability affects all versions of Windows, from Windows 7 and Server Server 2008 to the latest releases.
DogWalk was originally revealed by security researcher Imre Rad in January 2020 after Microsoft acknowledged the issue and deemed it not a security issue.
“There are a number of file types that can run code in such a way, but are not technically ‘executables’,” the tech giant said at the time. “And some of these are considered unsafe for users to download/receive in email, even ‘.diagcab’ is blocked by default in Outlook on the web and elsewhere.”
Although all files downloaded and received via email have a Mark-of-the-Web (MOTW) tag used to determine their origin and trigger an appropriate security response, 0patch’s Mitja Kolsek noted that the MSDT application is not designed to check this flag and therefore can open the .diagcab file without warning.
“Outlook is not the only means of delivery: such a file is happily downloaded by all major browsers, including Microsoft Edge by simply visiting a website(!) it opened,” Kolsek said†
“No warning is displayed in the process, unlike downloading and opening another known file that can be run [the] attacker code.”
The patches and the renewed interest In the zero-day bug, active exploitation of the “Follina” vulnerability follows for remote code execution by using malware-infested Word documents that abuse the “ms-msdt:” protocol URI scheme.
According to security firm Proofpoint, the flaw (CVE-2022-30190, CVSS score: 7.8) is weaponized by a threat actor tracked as TA570 to deliver the information-stealing trojan QBot (aka Qakbot).
“Actor uses threaded hijacked messages with HTML attachments that, when opened, drop a ZIP archive,” the company said said in a series of tweets describing the phishing attacks.
“Archive contains an IMG containing a Word document, shortcut file and DLL. The LNK executes the DLL to start QBot. The document loads and executes an HTML file containing PowerShell that exploits CVE-2022-30190 which is used to download and run Qbot.”
QBot has also been used by initial access brokers to gain initial access to target networks, allowing ransomware affiliates to abuse the foothold to deploy file-encrypting malware.
The DFIR report, earlier this year, also documented how QBot infections move at a rapid pace, allowing the malware to collect browser data and Outlook emails as little as 30 minutes after the first access and spread the payload to an adjacent workstation around 50 minutes.