Cyble Research Labs has been actively monitoring CVE-2022-30190, and in our previous research, we discussed how the vulnerability was actively exploited in the wild using a malicious word document. Recently we came across a tweet where researchers mentioned the exploitation of this MSDT vulnerability through Rich Text Format (RTF). This information indicates that CVE-2022-30190 is under active exploitation using different attack vectors. This blog will discuss how the RTF file is utilized to exploit MSDT vulnerability to deliver PowerShell Stealer.
Exploit Analysis
A specially crafted RTF document is used in this attack using Employment Theme, as shown in Figure 1.
Upon execution, the RTF document tries to load an html file and executes it without any user interaction. The below image shows the OLE object embedded in the RTF file, which is responsible for loading 1.html hosted on the remote server.
The file 1.html has code to exploit MSDT vulnerability and downloads PowerShell stealer from the remote server. The following Figure shows malicious PowerShell code, which contains the final payload delivery link.
Payload Analysis
After successfully exploiting the MSDT vulnerability, the final stealer PowerShell code is downloaded and executed in the victim’s machine without leaving any trace in the system. This stealer can steal data from the registry and multiple applications such as browsers, email, and RDP clients. The Figure below shows the PowerShell stealer.
The stealer steals data from Mozilla Firefox, Opera, Yandex, Vivaldi, CentBrowser, Comodo, Chedot, Orbitum, Chromium, Slimjet, Xvast, Kinza, Iridium, CocCoc, Thunderbird, PuTTY, Navicat, and Winscp.
The stealer harvests information from the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ToDesk
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Oray SunLogin RemoteClient
- HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSFtpsvc\Parameters\Virtual Roots\ControlSet002
- HKEY_LOCAL_MACHINE\SOFTWARE\Cat Soft\Serv-U\Domains\1\UserList
- HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSFtpsvc\Parameters\Virtual Roots
- HKEY_CURRENT_USER\SOFTWARE\SimonTatham”
- HKEY_CURRENT_USER\Software\Microsoft\Office\16.0
- HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers
- HKEY_CURRENT_USER\Software\Microsoft\Office\16.0
- HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2
- HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers
It executes the following commands to harvest the victim’s data:
- Systeminfo
- ipconfig /all
- net config workstation
- net time /domain
- net group /domain
- net accounts /domain
- wmic useraccount get /all
- wmic product get name,version
After harvesting data, the stealer compresses stolen data and exfiltrates it to 45[.]77.156[.]179. The C&C server has an open directory of exfiltrated logs, as shown in the Figure below.
Conclusion
The threat actors actively exploit CVE-2022-30190. TAs are using different attack vectors to exploit this vulnerability. In this particular case, instead of Microsoft word files, attackers used RTF files to download an information stealer into the victim’s system.
We will update CVE-2022-30190 related attacks with further information in the future.
Our Recommendations
- Follow mitigation procedures provided by Microsoft in their blog.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.
- Block URLs that could spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
| 12 | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1203 | Exploitation for Client Execution |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| Discovery | T1087 T1046 | Account Discovery Network Service Discovery |
| Command and Control | T1071 | Application Layer Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Indicators of Compromise (IoCs)
| Indicators | Indicator type | Description |
| 242d2fa02535599dae793e731b6db5a2 0646ef9e20628c47c2140c0fc4b51ce3a7ad4c30 ca7e9c65fd2cec62110b50581529198c43b7982820a38c912baa81d0294b8126 | MD5 SHA-1 SHA-256 | Malicious RTF File |
| ea483ab89d8b9baf00b953f0636e0520 b0b952334f0d0195b06faed532170263f7fad6c2 5385a798d136365b644199359dc2662de3b0d6c5adc09e4cf9cada074e8a9338 | MD5 SHA-1 SHA-256 | HTML exploit 1.html |
| hxxp://45.76.53[.]253/1.html | URI | Exploit |
| hxxps://seller-notification[.]live/Zqfbe234dg | URI | Malicious Payload |
| dbd2b7048b3321c87a768ed7581581db 0031893be42999b493c3e3c7e88d006db44d425f 0d7f8698dcb03f879bcf4222852e859e1f8d84e61ee25af12312eda290ccde88 | MD5 SHA-1 SHA-256 | PowerShell Stealer |