MSHTML RCE Exploited CVE-2021-40444

Introduction

Details of a high severity remote code execution (RCE) vulnerability in Microsoft’s proprietary browser engine ‘MSHTML’, also known as ‘Trident’, were released by Microsoft on September 7, 2021, and promptly followed by reports of active exploitation in the wild.

Identified as CVE-2021-40444, assigned a CVSS score of 8.8, it is understood that the vulnerability has been exploited through the delivery of a weaponized Microsoft Office document utilizing an ActiveX control to download a remote malicious payload that is subsequently executed on the victim machine.

Whilst the MSHTML component is commonly used by Internet Explorer, a now defunct browser, many third-party Windows applications, including Microsoft Office, continue to utilize it and therefore all currently supported versions of Microsoft Windows are potentially vulnerable.

Given the timing of this incident, it is hopeful that Microsoft will attempt to address this in their September 14, 2021 ‘Patch Tuesday’ release although no details of a fix for this issue have been released as yet.

Impact

Undoubtedly initially delivered to victims via email, a weaponized Microsoft Office document attachment is thought to contain a specially crafted ActiveX control that that exploits the remote code execution (RCE) vulnerability in MSHTML and leads to the download of an additional payload.

Although technical details of the vulnerability remain vague, reports suggest that it was used in a campaign identified as early as September 1, 2021 with the lure document masquerading as a ‘Small Claims Court’ letter albeit containing a Saudi Aramco logo.

Notably, ‘Protected View’ in Microsoft Office and ‘Application Guard’ in Microsoft Office 365 would prevent this malicious active content from being executed by default and therefore it is likely that an initial lure email would attempt to socially engineer the recipient into bypassing or ignoring any security warnings.

Having successfully convinced the victim to open the document and disable security controls leading to the execution of the ActiveX component, a Microsoft Cabinet (.cab) file is download from a remote server leading to the extraction and execution of a dynamic link library (DLL) payload using rundll32.exe.

In the observed incident, the resulting payload appears to be Cobalt Strike, a legitimate commercial tool often used by red teams, that once operational would provide numerous remote access capabilities to the threat actor including command execution, file transfer, keylogging and privilege escalation.

Whilst there is little detail of these in-the-wild exploitation attempts, the use of a Saudi Aramco logo does not appear consistent with the text of the US-based small claims court lure. Regardless, the increased publicity surrounding this vulnerability and incident may result in those originally responsible for the delivery of these exploits to update and/or modify their campaign in addition to others seeking to capitalize on the attack vector prior to it being fixed by Microsoft.

Recommendations

• Employee security awareness training remains an important step in providing them with the ability to identify and report suspicious content such as unsolicited emails containing file attachments that encourage some immediate action.
• Additionally, employees should be reminded that the Microsoft Office security controls are provided to protect them from potentially dangerous content and should therefore only be disabled (or ‘Editing Enabled’) if the file is from a known trusted source.
• The Microsoft security update article [1] for this vulnerability makes reference to a workaround in which ActiveX controls can be disabled via a registry change or Group Policy Object, as such, consideration should be given to implementing this change to prevent malicious activity.
• Organizations utilizing Microsoft Defender should ensure that the detection build is 1.349.22.0 or newer as this provides detection and protection for this vulnerability.
• Given that exploitation has already been observed in the wild, threat hunters should consider reviewing the attached indicators of compromise (IOC).

Indicators of Compromise

For reference, the following indicators of compromise (IOC) relate to the reported exploitation of this vulnerability prior to Microsoft publishing details and are provided to assist threat hunters in checking their own environments.

Files (SHA256)

Initial document lure:

• 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
  • A Letter before court 4.docx

Obfuscated HTML/JS:

• 2e328b32f8c7081fbe0aa8407b1b93d1120ac1c8a6aa930eeba1985c55a0daa0
  • a.html
• d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6
  • side.html

ActiveX Downloaded Payload:

• 1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00
  • ministry.cab
• 8168e909e68d7eea4c5e56c52ae10886911f2863f0c333afc3bed1f99a40e621
  • consist.cab

• a8e04dc3ba71c5e56898a845d43e2d43ec39660679c971831d1a32740d3b125c

Dropped Payload (Cobalt Strike):

• 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
  • %HOME%unpackchampionship.inf

Additional payloads potentially related to this campaign:

• 3834f6a04b0a9cca41653967e46934932089adaa4de23ff5cfeecdd0e9258e72
• bd4b9f4b79f8a9eedc12abe3919cecb041c61022485b87b3a5cdfd1891e30670

Cobalt Strike Configuration

The following Cobalt Strike configuration was extracted from a payload related to the recently observed campaign:

{

"BeaconType": [

"HTTPS"

],

"Port": 443,

"SleepTime": 5000,

"MaxGetSize": 2796542,

"Jitter": 22,

"C2Server": "dodefoh[.]com,/ml.html,joxinu[.]com,/hr.html",

"HttpPostUri": "/ky",

"Malleable_C2_Instructions": [

"Remove 338 bytes from the beginning",

"Base64 decode",

"NetBIOS decode 'A'"

],

"SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",

"HttpGet_Verb": "GET",

"HttpPost_Verb": "POST",

"HttpPostChunk": 0,

"Spawnto_x86": "%windir%\syswow64\rundll32.exe",

"Spawnto_x64": "%windir%\sysnative\rundll32.exe",

"CryptoScheme": 0,

"Proxy_Behavior": "Use IE settings",

"Watermark": 1580103814,

"bStageCleanup": "True",

"bCFGCaution": "False",

"KillDate": 0,

"bProcInject_StartRWX": "False",

"bProcInject_UseRWX": "False",

"bProcInject_MinAllocSize": 16583,

"ProcInject_PrependAppend_x86": [

"kJCQkJA=",

"Empty"

],

"ProcInject_PrependAppend_x64": [

"kJCQkJA=",

"Empty"

],

"ProcInject_Execute": [

"CreateThread",

"CreateRemoteThread",

"RtlCreateUserThread"

],

"ProcInject_AllocationMethod": "VirtualAllocEx",

"bUsesCookies": "True",

"HostHeader": ""

}

Network

Obfuscated HTML/JS initially accessed by the malicious document lure:

• hxxp://hidusi[.]com/e8c76295a5f9acb7/side.html
  • Resolves to 23[.]106[.]160[.]25
• hxxps://hidusi[.]com/e8c76295a5f9acb7/side.html
  • Resolves to 23[.]106[.]160[.]25

Subsequent Microsoft Cabinet (.CAB) files:

• hxxp://hidusi[.]com/e8c76295a5f9acb7/ministry.cab
  • First observed Sept 1, 2021
• hxxp://hidusi[.]com/e273caf2ca371919/consist.cab
  • First observed Sept 8, 2021

Cobalt Strike command and control (C2):

• hxxps://dodefoh[.]com/ml.html
  • Resolves to 45[.]147[.]229[.]242

• hxxps://joxinu[.]com/hr.html
  • Resolves to 108[.]62[.]118[.]69

Additional malicious infrastructure potentially linked to this campaign:

• hxxp://macuwuf[.]com/get_load
  • Resolves to 45[.]153[.]241[.]127

References

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444