A brief phishing campaign was noticed that took advantage of a unique exploit which circumvented a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component, with the purpose of spreading Formbook malware. "The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker," SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report.
CVE-2021-40444 (CVSS score: 8.8) is a remote code execution flaw in MSHTML that might be exploited using carefully designed Microsoft Office documents. Although Microsoft repaired the security flaw in its September 2021 Patch Tuesday releases, it has been used in various attacks since the flaw's information became public.
The same month, the technology giant discovered a targeted phishing campaign that used the vulnerability to install Cobalt Strike Beacons on affected Windows systems. According to Microsoft Threat Intelligence Center, the assaults exploited the vulnerability as part of an initial access effort that included modified Cobalt Strike Beacon loaders. These loaders communicated with an infrastructure associated with several cybercriminal schemes, including human-operated ransomware, according to Microsoft.
Sophos found a new campaign that seeks to circumvent the patch's safeguards by modifying a publicly accessible proof-of-concept Office exploit and weaponizing it to distribute Formbook malware. According to the cybersecurity firm, the attack's success can be due to a "too-narrowly focused patch."
"In the initial versions of CVE-2021-40444 exploits, the malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file," the researchers explained. "When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive."
The modified attack, known as CAB-less 40444, ran for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were delivered to potential victims. In turn, the RAR file contained a script written in Windows Script Host (WSH) and a Word Document that, when opened, contacted a remote server hosting malicious JavaScript. As a result, the JavaScript code used the Word Document to start the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the Formbook malware payload from an attacker-controlled website.
The fact that the modified RAR archive files wouldn't operate with older versions of the WinRAR software explains why the exploit vanished after just over a day of use. "Unexpectedly, in this case, users of the much older, obsolete version of WinRAR would have been better protected than users of the most recent release," the researchers wrote.
