Sophos: Thread actors test CAB-less 40444 (MSHTL vulnerability) attacks in Windows

Sicherheit (Pexels, allgemeine Nutzung)[German]Security vendor Sophos published information about a new attack scenario in a series of tweets just before Christmas. Attackers are currently testing a new attack vector via RAR attachments with Word documents and scripts in mails. However, this involves distributing payloads hidden in RAR files with an Office document, which then use PowerShell to attack via script. I present this briefly here in the blog.


Sophos observes new attack method

It was a tweet from Sophos  that alerted me on December 21, 2021. Their security researchers got their hands on an updated exploit that shows cyber criminals are testing a new attack method. The number 40444 in the following tweet refers to the CVE-2021-40444 vulnerability in the Windows MSHTM library. 

CAB-less 40444 attack

The victims receive an email with an attachment Profile.rar. The RAR archive contains a Word file document.docx. A script in the .rar file causes the file to start – the user is shown the Word document. As soon as the Word file opens in Office, a web page with a malicious javascript is called.

This javascript on the web page forces the Word document to embed the attacker's script code, which the attacker placed in the RAR archive Profile.rar of the email attachment. The script embedded in the RAR archive file Profile.rar then calls PowerShell in Windows. Then, an executable malware is downloaded from the Web via PowerShell and executed. The goal is to infect the victim's Windows machine.

I had already reported about that in the blog post Windows attacks via 0-day in installer and vulnerability in MSHTML.

Vulnerability CVE-2021-40444 patched

Vulnerability CVE-2021-40444 is located in the Windows MSHTML library and has been patched by Microsoft through security updates for Windows and/or Internet Explorer as of September 14, 2021. Vulnerability CVE-2021-40444 allows remote code execution (RCE), including via manipulated Office documents. MSHTML (rident) is the HTML rendering engine of Internet Explorer included in all previous Windows versions. I had reported about it in the blog post Patch day recap Sept. 2021: Update on MSHTML vulnerability CVE-2021-40444.


MSHMTL vulnerability

It is unclear whether the Microsoft security patch completely removes the vulnerability. Sophos writes in the above tweet that attackers are now making attempts to bypass this patch and exploit the vulnerability anyway. Between October 24 and 25, 2021, Sophos security researchers received a small number of spam email samples that contained corresponding file attachments. The attachments represent an escalation in the attackers' exploitation of the -40444 flaw and show that cyber criminals are looking for ways to exploit the vulnerability even on patched systems. Sophos published the details of the attacks in the blog post Attackers test "CAB-less 40444" exploit in a dry run.

Similar articles
Attack via Office Documents on Microsoft MSHTML (ActiveX) RCE Vulnerability (CVE-2021-40444)
MSHTML vulnerability CVE-2021-40444 more critical than known
Disaster Windows MSHTML vulnerability CVE-2021-40444, hopefully a patch will come today
Patch day recap Sept. 2021: Update on MSHTML vulnerability CVE-2021-40444
Windows attacks via 0-day in installer and vulnerability in MSHTML

Patchday: Windows 10-Updates (September 14, 2021)
Patchday: Windows 8.1/Server 2012 Updates (September 14, 2021)
Patchday: Updates for Windows 7/Server 2008 R2 (September 14, 2021)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.