Hackers unveil fresh strategies amid ongoing Microsoft Follina flaw persistence

In a recent development, security researchers have uncovered a new attack method using the zero-day vulnerability "Follina" in Microsoft Office software. This vulnerability, publicly disclosed on May 27th, allows a remote, unauthenticated attacker to gain control over a system by exploiting downloaded Microsoft Office documents, particularly in Word.

The latest attack, discovered by Sophos researchers, involves a "message thread injection" malspam, where a reply is interjected into an existing email discussion. The recipient is asked to open an HTML attachment, leading to a zip file being downloaded. This zip file contains an additional archive, a zip file with a suffix of .img.

If the .img archive is unzipped, three files are revealed: A Windows DLL, a malicious Follina .docx file, and a Windows shortcut. Threat actors have exploited Follina to deploy the remote access trojan AsyncRAT, which contains a valid digital signature.

Andrew Brandt, principal researcher at Sophos, stated that this is an existing threat actor deploying Follina malicious documents in a routine spam-delivered malware campaign. Dick O'Brien, principal editor of the Symantec Threat Intelligence Team, also warned that the threat posed by Follina is very serious unless steps are taken to mitigate the risk.

Microsoft was informed about the vulnerability at least since April. The workaround suggested by Microsoft will prevent this attack. However, it's important to note that leaving the existing mitigations in place will also temporarily disable a routine resource found within Windows to troubleshoot common issues.

Researchers have also observed attackers deploy an information stealer as a payload. Threat actors have been using this method since around June 2nd, shortly after Microsoft published the workaround on May 30th.

Microsoft will have to provide a security patch to fix the Follina exploit method so people can restore the troubleshooting tool. Until then, it's crucial for users to be vigilant and follow Microsoft's recommended mitigations to protect their systems. The mitigations suggested by Microsoft are effective at stopping the attack, but they should be implemented carefully to avoid disabling necessary troubleshooting tools.