If you purchase via links on our site, we may receive affiliate commissions.

Microsoft zero-day bug “exploited by threat actors”

Updated on: 06 June 2022

Damien Black
Senior Journalist

Malicious hackers have been using a zero-day exploit known as Follina to conduct remote-code execution attacks on Microsoft Office users, an inquiry by Avast has found.

An Australian internet telephone provider was detected hosting a malicious payload directed at users in the South Pacific nation of Palau. The cybercriminals behind it are believed to be exploiting the recently released CVE-2022-30190 gap in Microsoft’s defenses, also named after the Italian municipality where it was first discovered.

“Further analysis indicated that targets were sent malicious documents that, when opened, exploited this vulnerability, causing victim computers to contact the provider’s website, download and execute the malware, and subsequently become infected,” said Avast.

To make the social engineering aspect more effective, “multiple stages of this malware were signed with a legitimate company certificate to minimize the chance of detection.”

The bug is thought to have disguised itself, initially going under the name robots.txt during the first phase of the attack before changing its name to sihost.exe.

This led to four successive attack stages culminating in AsyncRat, a trojan configured to communicate with an Australian server that allowed residents in Palau to make voice calls using a broadband internet connection.

It is unclear how many people have been affected by the scam, but Avast urges all Microsoft Windows users to update their software immediately to patch the CVE-2022-30190 vulnerability.