Zero-Day Vulnerability: Optimized Attacks on Microsoft’s Diagnostic Tool (MSDT)

Zero-Day Vulnerability: Optimized Attacks on Microsoft’s Diagnostic Tool (MSDT)
Written by insideindyhomes

The security service provider Proofpoint observed attacks on several customers from European and US government organizations over the past Whitsun weekend. The cybercriminals attempted to exploit the zero-day vulnerability in Microsoft’s Diagnostic Tool (MSDT) with the CVE entry CVE-2022-30190 to inject malicious code. This was reported by the company’s IT analysts on Twitter.

In the malware campaign, the masterminds wanted to lure the victims with an RTF document that promised a salary increase. This then reloaded the malicious payload from a server on the Internet, unless the vulnerability was otherwise repaired.

The downloaded powershell script has another powershell script loaded as an additional step. This in turn checks whether it is running in a virtual environment and steals data from the local web browsers, mail programs and file services. It also conducts further investigations into the environment of the infected machine and bundles the information collected in a ZIP package in order to send it to the control server.

Based on the approach, Proofpoint’s IT security researchers estimate that it is a state cybergang. Although they could not specifically name which APT is behind it, the targeted approach and the comprehensive spying out of information from the infiltrated system fueled their suspicion.

The attacked zero-day vulnerability was initially localized by IT researchers in Microsoft Office, but turned out to be a problem in the Microsoft Diagnostic Tool, which could be abused through the protocol handler ms-msdt:. Although the first attacks used carefully prepared Office documents, the problem with manipulated RTF documents could be abused without further user interaction. Merely the preview in Windows Explorer was enough to reload and run the malicious code.

The cybercriminals have now adapted this tightened version with prepared RTF documents and apparently included it in their exploit toolboxes. Administrators and users should therefore urgently remove the protocol handler temporarily until Microsoft offers a bug fix. Microsoft has provided the following instructions for this:

Users must first open an administrative command prompt. The command reg export HKEY_CLASSES_ROOTms-msdt saves the previous registry key to the file . Then delete the call to reg delete HKEY_CLASSES_ROOTms-msdt /f the relevant key. To restore it later, just call up reg import at the administrative command prompt.


To home page


#ZeroDay #Vulnerability #Optimized #Attacks #Microsofts #Diagnostic #Tool #MSDT

About the author


Leave a Comment