Blog

HomeNewsInsightsPeople & Impact
Research

Outbreak of Follina in Australia

Follina Exploitation Targets Palau VOIP
Threat Research Team
Threat Research Team
Published
June 3, 2022
Read time
5 Minutes
Outbreak of Follina in Australia
Written by
Threat Research Team
Threat Research Team
Published
June 3, 2022
Read time
5 Minutes
Outbreak of Follina in Australia
    Share this article

    Our threat hunters have been busy searching for abuse of the recently-released zero-day remote code execution bug in Microsoft Office (CVE-2022-30190). As part of their investigations, they found evidence of a threat actor hosting malicious payloads on what appears to be an Australian VOIP telecommunications provider with a presence in the South Pacific nation of Palau.

    Further analysis indicated that targets in Palau were sent malicious documents that, when opened, exploited this vulnerability, causing victim computers to contact the provider’s website, download and execute the malware, and subsequently become infected.

    Key Observations

    This threat was a complex multi-stage operation utilizing LOLBAS (Living off the Land Binaries And Scripts), which allowed the attacker to initialize the attack using the CVE-2022-30190 vulnerability within the Microsoft Support Diagnostic Tool. This vulnerability enables threat actors to run malicious code without the user downloading an executable to their machine which might be detected by endpoint detection.

    Multiple stages of this malware were signed with a legitimate company certificate to add additional legitimacy and minimize the chance of detection.

    First stage

    The compromised website, as pictured in the screenshot below, was used to host robots.txt which is an executable which was disguised as “robots.txt”. We believe the name was used to conceal itself from detection if found in network logs. Using the Diagnostics Troubleshooting Wizard (msdt.exe), this file “robots.txt” was downloaded and saved as the file (Sihost.exe) and then executed.

    Second Stage, Sihost.exe

    When the renamed “robots.txt” – “Sihost.exe” – was executed by msdt.exe it downloaded the second stage of the attack which was a loader with the hash b63fbf80351b3480c62a6a5158334ec8e91fecd057f6c19e4b4dd3febaa9d447. This executable was then used to download and decrypt the third stage of the attack, an encrypted file stored as ‘favicon.svg’ on the same web server.

    Third stage, favicon.svg

    After this file has been decrypted, it is used to download the fourth stage of the attack from palau.voipstelecom.com[.]au. These files are named Sevntx64.exe and Sevntx.lnk, which are then executed on the victims’ machine.

    Fourth Stage, Sevntx64.exe and Sevntx64.lnk

    When the file is executed, it loads a 66kb shellcode from the AsyncRat malware family; Sevntx64.exe is signed with the same compromised certificate as seen previously in “robots.txt”.

    The screenshot below shows the executable loading the shellcode.

    Final Stage, AsyncRat

    When the executable is loaded, the machine has been fully compromised with AsyncRat; the trojan is configured to communicate with the server palau[.]voipstelecom[.]com[.]au on port 443

    AsyncRat SHA256:

    aba9b566dc23169414cb6927ab5368b590529202df41bfd5dded9f7e62b91479

    Screenshot below with AsyncRat configuration:

    Conclusion

    We highly recommend Avast Software to protect against the latest threats, and Microsoft patches to protect your Windows systems from the latest CVE-2022-30190 vulnerability.

    IOCs:

    Bonus

    We managed to find an earlier version of this malware.

    Forensic information from the lnk file:

    Threat Research Team
    Threat Research Team
    A group of elite researchers who like to stay under the radar.
    Follow us for more
    Blog Archive