It was observed that a short-lived phishing campaign exploited an exploit that bypassed a Microsoft patch for a remote code execution vulnerability affecting the MSHTML component to deliver Formbook malware.
“The attachments show how even a patch can’t always mitigate the actions of a motivated and sufficiently skilled attacker,” SophosLabs researchers Andrew Brandt and Stephen Ormandy declared in a report published Tuesday.
A remote code execution vulnerability in Microsoft HTML (CVE-2021-40444, CVSS 8.8) could be exploited by specially crafted Microsoft Office documents. Although Microsoft addressed the security flaw in its September 2021 Patch Tuesday updates, the flaw has been exploited in multiple attacks since details of the flaw were made public. Within the same month, the company discovered a targeted phishing campaign that exploited the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. According to SafeBreach Labs, an Iranian threat actor targeted Farsi-speaking victims in November with a new PowerShell-based information stealer designed to gather sensitive information.
Sophos discovered a new campaign leveraging a publicly available proof-of-concept Office exploit to distribute Formbook malware around the patch’s protection. A cybersecurity firm said the attack was successful in part because of a “too-narrowly focused patch.”
“In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or . CAB) file,” the researchers explained. “When Microsoft’s patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the malloc in a specially crafted RAR archive.”
CAB-less 40444, as the modified exploit is called, lasted for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were sent to potential victims. The RAR file, in turn, included a script written in Windows Script Host and a Word Document that, upon opening, contacted a remote server hosting malicious JavaScript.
Consequently, the JavaScript code utilized the Word Document as a conduit to launch the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the malware payload from an attacker-controlled website. Why the exploit disappeared after just a few hours in use is because the modified RAR archive files would not work with older versions of the WinRAR utility. “In this case, users of an older, outdated version of WinRAR would have been better protected than users of the latest version,” the researchers concluded.
The research shows that patching alone cannot protect against all vulnerabilities in all cases, according to SophosLabs Principal Researcher Andrew Brandt. “Setting restrictions that prevent users from accidentally opening malicious documents helps, but people can still be lured into clicking the “enable content” button.”
As a result, it is vitally important to educate employees and remind them to be cautious when receiving emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or organizations they don’t know.