Threatening Advice: CVE-2022-30190 ‘Folina’ – Serious Zero-Day Weakness Discovered in MSDT

A zero-day remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) has been identified as CVE-2022-30190 “FOLLINA” with high intensity.

MSDT is a tool in Windows version 7 and above and is used to diagnose problems in applications such as MS Office documents when a user reports a problem with Microsoft support.

Why is CVE-2022-30190 “Folina” vulnerability so dangerous?

This diagnostic tool (MSDT) is typically called by applications like MS Office Documents that allow the execution of remote code with the privilege of the calling process when calling through the MSDT URL protocol. The attacker can exploit this vulnerability to run the code arbitrarily.

This vulnerability has been exploited by using MS Office documents distributed via email to run malicious payloads (e.g. Turian Backdoor, Cobalt Strike, etc.). Initially VIP Invitation at Doha Expo used WebDAV to download a sample CobaltStrike called 2023.docx (7c4ee39de1b67937a26c9bc1a7e5128b).

Chinese APT Group ‘TA413’ Wild exploits this vulnerability by downloading backdoor as payload via MSDT URL protocol.

The image below shows the base64 encoded html file downloaded by DOC (SHA 🙂 000c10fef5a643bd96da7cf3155e6a38) From hxxp: // 212[.]138.130.8 / Analysis [.]html

The following figure shows the decoded data:

When we decode base64 encoded data it is clear that svchosts.exe which is downloaded via backdoor MSDT URL PROTOCOL

Mitigation of “Folina”

Disabling MSDT URL Protocol:

1. Run the following command as administrator to back up the registry key –

“reg export HKEY_CLASSES_ROOT \ ms-msdt filename”

2. To delete the registry key, run the command “reg delete HKEY_CLASSES_ROOT \ ms-msdt / f”.

To restore the registry key, run the following command as administrator – “reg import filename”.

How does Quick Hill protect its customers from CVE-2022-30190 – Follina?

Quick Heal protects its customers against this vulnerability in MSDT with the following identification: –

• Backdoor.Turian.S28183972
• CVE-2022-30190.46635
• CVE-2022-30190.46634
• CVE-2022-30190.46624
• CVE-2022-30190.46623