MSOffice/Follina.536C!exploit

description-logoAnalysis

MSOffice/Follina.536C!exploit is a generic detection for an exploit.
An exploit is a malicious program that takes advantage of a software vulnerability that may enable a remote attacker to gain access to the targeted system. Since this is a generic detection, malware that are detected as MSOffice/Follina.536C!exploit may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is related to the Follina vulnerability outbreak. It has the identifier CVE-2022-30190. The exploit involves a compromised MSOffice file that contains a malicious URL which leads to a download. The compromised file may be sent as a suspicious email.

  • The exploit allows attackers to execute arbitrary code with the privileges of the calling application by exploiting the vulnerability affecting the Microsoft Support Diagnostic Tool (MSDT).

  • This malware has been associated with the following third party article/advisory.
  • https://www.cisa.gov/uscert/ncas/current-activity/2022/05/31/microsoft-releases-workaround-guidance-msdt-follina-vulnerability
    

  • Below is an image of the malware:

    • Figure 1: MSOffice document containing malicious URL.

  • Below are some sites to which some of the observed samples tried to connect to:
    • https://xmlform[removed]rawing/RDF8421.html!

  • Following are some of the exact file hashes associated with this detection:
    • Md5: 52945af1def85b171870b31fa4782e52
      Sha256: 4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-02-12 92.01512
2024-02-07 92.01352
2023-11-22 91.09040
2023-10-11 91.07774
2023-09-19 91.07104
2023-08-08 91.05854
2023-08-08 91.05853
2023-08-08 91.05844
2023-08-01 91.05642
2023-07-20 91.05262