Security service provider Proofpoint saw attacks on several customers of European and US government organizations over the past Whitson weekend. Cybercriminals attempted to exploit a zero-day vulnerability in Microsoft’s Diagnostic Tool (MSDT) with CVE entry CVE-2022-30190 to inject malicious code. The company’s IT analysts gave this information on Twitter.
In the malware campaign, the mastermind wanted to lure the victims with an RTF document that promised a pay hike. The malicious payload was then reloaded from a server on the Internet, until the vulnerability was otherwise fixed.
The downloaded powershell script has another powershell script loaded as an additional step. This in turn checks whether it is running in a virtual environment and steals data from local web browsers, mail programs and file services. It also performs further investigation in the infected machine’s environment and bundles the collected information in a zip package to send to the control server.
Based on the approach, Proofpoint’s IT security researchers estimate it to be a state-of-the-art cyber gang. Although they could not specify specifically which APT was behind it, the targeted approach and extensive espionage of information from the system of infiltration fueled their suspicions.
Zero-day vulnerability in MSDT without patch
The attack’s zero-day vulnerability was initially localized by IT researchers to Microsoft Office, but became a problem in the Microsoft Diagnostic Tool, which could be abused via the protocol handler ms-msdt: . Although the first attacks used carefully crafted Office documents, the problem with manipulated RTF documents could be misused without user interaction. Previewing only in Windows Explorer was enough to reload and run the malicious code.
Cybercriminals have now adapted this hardened version with ready-made RTF documents and apparently included it in their exploit toolbox. Therefore administrators and users should immediately temporarily remove the protocol handler until Microsoft provides a bug fix. Microsoft has provided the following instructions for this:
Users must first open an administrative command prompt. Order reg export HKEY_CLASSES_ROOT\ms-msdt <Dateiname> Saves the previous registry key to a file <Dateiname>, then delete the call reg delete HKEY_CLASSES_ROOT\ms-msdt /f relevant key. To restore it later, just call reg import <Dateiname> at the administrative command prompt.
(DMK)
Internet fan. Alcohol expert. Beer ninja. Organizer. Certified tv specialist. Explorer. Social media nerd.
