Chinese APT exploits newly-discovered Windows zero-day

Chinese APT group TA413 has been reported by Proofpoint researchers to be actively abusing the recently-discovered Microsoft Windows Support Diagnostic Tool remote code execution vulnerability, dubbed "Follina" and tracked as CVE-2022-30190, in attacks against the international Tibetan community, according to BleepingComputer. Exploits of the zero-day flaw are being leveraged by TA413 to facilitate malicious code execution through the MSDT protocol. "TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app," said Proofpoint in a tweet. Malicious payloads discovered to be trojans for password theft are also being installed by attackers using Chinese-named DOCX files, MalwareHunterTeam found. Meanwhile, Microsoft unveiled new guidance detailing that while the vulnerability could be exploited to enable arbitrary code execution and allow program installation and data deletion, organizations could curb attacks through MSDT URL protocol deactivation.