It was observed that a short-lived phishing campaign exploited an exploit that bypassed a Microsoft patch for a remote code execution vulnerability affecting the MSHTML component to deliver Formbook malware.
“The attachments show how even a patch can’t always mitigate the actions of a motivated and sufficiently skilled attacker,” SophosLabs researchers Andrew Brandt and Stephen Ormandy declared in a report published Tuesday.
A remote code execution vulnerability in Microsoft HTML (CVE-2021-40444, CVSS 8.8) could be exploited by specially crafted Microsoft Office documents. Although Microsoft addressed the security flaw in its September 2021 Patch Tuesday updates, the flaw has been exploited in multiple attacks since details of the flaw were made public. Within the same month, the company discovered a targeted phishing campaign that exploited the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. According to SafeBreach Labs, an Iranian threat actor targeted Farsi-speaking victims in November with a new PowerShell-based information stealer designed to gather sensitive information.
Sophos discovered a new campaign leveraging a publicly available proof-of-concept Office exploit to distribute Formbook malware around the patch’s protection. A cybersecurity firm said the attack was successful in part because of a “too-narrowly focused patch.”
“In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or . CAB) file,” the researchers explained. “When Microsoft’s patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the malloc in a specially crafted RAR archive.”
The research shows that patching alone cannot protect against all vulnerabilities in all cases, according to SophosLabs Principal Researcher Andrew Brandt. “Setting restrictions that prevent users from accidentally opening malicious documents helps, but people can still be lured into clicking the “enable content” button.”
As a result, it is vitally important to educate employees and remind them to be cautious when receiving emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or organizations they don’t know.