23 December 2021

Hackers use a novel workaround exploit to bypass patched Microsoft Office flaw


Hackers use a novel workaround exploit to bypass patched Microsoft Office flaw

Security researchers at SophosLabs have detailed a recently discovered spam campaign that leveraged a novel workaround exploit to bypass a patch for a critical vulnerability (CVE-2021-40444) in Microsoft Office to deliver the Formbook malware.

The said vulnerability resides within the MSHTML component and can be exploited by a remote attacker to execute execute arbitrary code on the vulnerable system. This requires the attacker to trick the victim into opening a specially crafted Office document with a malicious ActiveX control inside. Microsoft fixed the issue as part of its September 2021 Patch Tuesday updates.

In the new campaign detected by Sophos, threat actors used a modified version of a publicly available proof-of-concept Office exploit to distribute the Formbook malware, an infostealer that has been around since 2016.

"In the initial versions of CVE-2021-40444 exploits, malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file. When Microsoft’s patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially-crafted RAR archive. Because it doesn’t actually use the CAB-style attack method, we’ve called it the CAB-less 40444 exploit," SophosLabs researchers explained.

The researchers believe that the short 36-hour campaign they observed between October 24 and 25, was a “dry run” experiment that might return in future incidents.

The observed campaign involved spam emails containing a malformed RAR archive file, which, in turn, included a script written in Windows Script Host (WSH) and a Word Document. When opened, this document triggered a process that ran the front-end script, leading eventually to an infection with Formbook malware.

“In theory, this attack just shouldn’t work. But it does because there had been assumptions about how the exploit works that led to a too-narrowly focused patch. It also worked because WinRAR is unique in that it treats any file that contains the correct magic bytes as an archive, no matter where the magic bytes appear in the file. Taken as a whole these led to a set of expectations that weren’t met by the attackers who modified the attack method in this case,” Sophos researchers wrote.

“This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,” they added. “Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button.”

Back to the list

Latest Posts

The story of the four bears: Brief analysis of APT groups linked to the Russian government

The story of the four bears: Brief analysis of APT groups linked to the Russian government

In “The Four Bears” series we will tell you about the APT groups known as Fancy Bear, Cozy Bear, Voodoo Bear, and Berserk Bear.
17 January 2022
Cybersecurity year in review: Most notable APT hacks of 2021

Cybersecurity year in review: Most notable APT hacks of 2021

In 2021 nation-state actors somewhat faded into the background, but they still pose a significant threat.
17 January 2022
Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

Hackers put up for sale data of 2M ONUS customers after the company refused to pay $5 million ransom

The attackers exploited the Log4Shell vulnerability on ONUS’ Cyclos server to plant backdoor and exfiltrate data.
30 December 2021