Dive Brief:

• Security researchers have uncovered new attack methods threat actors are using to take advantage of a zero day vulnerability dubbed “Follina” in Microsoft Office software. 
• Researchers from Broadcom’s Symantec unit said threat actors have exploited Follina to deploy the remote access trojan AsyncRAT, which contained a valid digital signature. They’ve also seen attackers deploy an information stealer as a payload. 
• Meanwhile, Sophos researchers discovered a new attack method, which starts off with a “message thread injection” malspam where a reply is interjected into an existing email discussion. The recipient is then asked to open an HTML attachment, which leads to a zip file being downloaded.

Dive Insight:

The incidents mark the latest attempts to take advantage of the vulnerability, publicly disclosed May 27th, however researchers say Microsoft was informed about the vulnerability since at least April. 

The Follina vulnerability allows a remote, unauthenticated attacker to gain control over a system by exploiting downloaded Microsoft Office documents, particularly in Word. 

Researchers began to see the AsyncRAT activity around June 2, just days after Microsoft published the workaround on May 30, according to Dick O’Brien, principal editor of the Symantec Threat Intelligence Team.

“With regards to how big a threat this is, it’s very serious unless you take steps to mitigate the risk,” O’Brien said via email.

When AsyncRAT runs on a system, it conducts anti-analysis checks, according to Symantec researchers. It later collects information of the infected system, including operating system information, user name, hardware identification and executed path. All this information is sent to a command-and-control server. 

The workaround suggested by Microsoft will prevent this attack, O’Brien said. 

In the attack discovered by Sophos researchers, the .zip file contains an additional archive, a zip file with a suffix of .img. If the .img archive is unzipped, three files are revealed: A Windows DLL, a malicious Follina .docx file and a Windows shortcut. 

“This is an existing threat actor deploying Follina malicious documents in lieu of other forms of weaponized documents in a routine spam-delivered malware campaign,” Andrew Brandt, principal researcher at Sophos said via email. “These will only run on machines where the Microsoft recommended mitigations have not been implemented.”

Brandt said the mitigations suggested by Microsoft are effective at stopping the attack, but warned the company will need to ultimately provide a security patch, because the mitigations temporarily disable what is supposed to be a routine resource found within Windows to troubleshoot common issues. 

“Leaving the existing mitigations in place will prevent infection, but also prevents the use of these troubleshooting tools,” Brandt said. “At some point, Microsoft will have to fix the Follina exploit method so people can restore the troubleshooting tool.