An advanced persistent threat (APT) actor line up with Chinese state interests has been observed armed with the new zero-day flaw in Microsoft Office to gain code execution on affected systems. TA413 CN APT mottled [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives that contain Word Documents that use the technique of enterprise security firm Proofpoint. Campaigns mimic the 'Women Empowerments Desk' of the Central Tibetan Administration and utilize the domain tibet-gov.web[.]app.
TA413 is best known for its campaigns targeted at the Tibetan dispersal to deliver grafts such as Exile RAT and Sepulcher as well as a rogue Firefox browser extension dubbed FriarFox. The austerity security flaw, which mimics Follina and is tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that misuses the "ms-msdt:" protocol URI scheme to carry out arbitrary code.
Significantly, the attack makes it possible for threat actors to avoid Protected View safeguards for suspicious files by simply altering the document to a Rich Text Format (RTF) file, resulting in the injected code being run without even opening the document via the Preview Pane in Windows File Explorer. The company, however, did not consider it a security issue and closed the vulnerability submission report, stating reasons that the MSDT utility requires a passkey provided by a support technician before it can execute payloads. The vulnerability subsists in all currently supported Windows versions and can be utilized via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.
Even though there is no official patch available at this point, Microsoft has recommended incapacitating the MSDT URL protocol to prevent the attack vector. In addition to this, it's been advised to turn off the Preview Pane in File Explorer. The threat will happen as soon as a user opens and view the Word document or views a preview of the document using the Windows Explorer Preview Pane. Since Windows Explorer does not require Word to start fully, this effectively becomes a zero-click attack.