Posted on December 24, 2021 at 3:22 PM

Attackers bypass security patch on the MSHTML flaw

Research has unveiled a phishing campaign carrying out exploits that managed to bypass a security patch installed by Microsoft. The patch in question was used to fix a vulnerability in the remote code execution. The exploit was done to deliver Formbook malware to users.

The exploit revealed that hackers with enough motivation and a strong skillset can still bypass security patches put in place.

Hackers bypass Microsoft security patch

Researchers with SophosLabs, Andrew Brandt and Stephen Ormandy, issued a report on this exploit, stating “the attachments represent an escalation of the attacker’s abuse of the CVE-2021-40444 bug and demonstrate that even a patch can’t always mitigate the actions of a motivated and sufficiently skilled attacker.”

Microsoft identified a security weakness in MSHTML, CVE-2021-40444, with a CVSS score of 8.8. The security weakness can be exploited using Microsoft Office documents that have been specially created.

In September 2021, Microsoft identified this security weakness, releasing a patch in its “Patch Tuesday updates”. However, after Microsoft made this weakness known to the public, it has been exploited by several threat actors to launch a series of attacks.

In September, Microsoft also identified another targeted phishing campaign. This phishing campaign took advantage of this vulnerability to executive Cobalt Strike Beacons on Windows systems that were compromised.

In November, a report published by SafeBreach labs further showed how threat actors were using the vulnerability for targeted attacks. The report stated that an Iranian threat actor was targeting Farsi-speaking victims. The attacker used a new PowerShell information stealer to collect sensitive personal details from the targeted victims.

While the vulnerability has already been patched, the report by Sophos looks at how the threat actors managed to bypass the security measures introduced by the patch. The threat actors managed to do this by morphing a proof-of-concept Office exploit that was publicly available. They later configured it to distribute the Formbook malware.

Sophos Labs noted that the attack had been crafted by a skilled attacker. However, the report notes that the attacker could have managed to bypass this patch because it was “too-narrowly focused.

The researchers further explained that “in the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file. When Microsoft’s patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive.”

Exploit was only active for 36 hours

The researchers noted that the modified exploit remained active for only 36 hours between October 24 and 25. During this time, spam emails that contained archive files with the malformed RAR were distributed to targeted victims.

The RAR file sent in the email had a script developed in Windows Script Host (WSH). It also contained a Microsoft Word document. A targeted victim that opened this document led to their device contracting a remote server that contained malicious JavaScript.

The JavaScript code used in the attack exploited the word document by using it as a link to launch the WSH script. This enabled the execution of an underlying PowerShell command in the RAR file. Afterwards, the Formbook malware was retrieved from a website controlled by the threat actor.

The research has not given any clues on why the exploit vanished after 36 hours of use. However, some researchers have explained that it could be because of the workability of modified RAR archive files. These files could not work with previous versions of the WinRAR utility.

Therefore, users that had not updated their WinRAR but used older versions were protected from the attack, compared to the users that used a much recent version. The research concludes by reminding users that a patch alone cannot protect against future vulnerabilities.

A Principal Researcher at Sophos Labs, Andrew Brandt, noted that setting restrictions to users cannot protect users from accidentally installing malicious software on their devices by opening documents sent to them. He also noted that those who fail to open a malicious document could still be targeted using the “enable content button.”

Brandt further added that “it is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don’t know.”

Microsoft is yet to issue an official statement regarding this exploit. However, one of the company’s representatives said, “we are investigating these reports and will take appropriate action as needed to help keep customers protected.”