Security researchers at SophosLabs have detailed a recently discovered spam campaign that leveraged a novel workaround exploit to bypass a patch for a critical vulnerability (CVE-2021-40444) in Microsoft Office to deliver the Formbook malware.
The said vulnerability resides within the MSHTML component and can be exploited by a remote attacker to execute execute arbitrary code on the vulnerable system. This requires the attacker to trick the victim into opening a specially crafted Office document with a malicious ActiveX control inside. Microsoft fixed the issue as part of its September 2021 Patch Tuesday updates.
In the new campaign detected by Sophos, threat actors used a modified version of a publicly available proof-of-concept Office exploit to distribute the Formbook malware, an infostealer that has been around since 2016.
"In the initial versions of CVE-2021-40444 exploits, malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file. When Microsoft’s patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially-crafted RAR archive. Because it doesn’t actually use the CAB-style attack method, we’ve called it the CAB-less 40444 exploit," SophosLabs researchers explained.
The researchers believe that the short 36-hour campaign they observed between October 24 and 25, was a “dry run” experiment that might return in future incidents.
The observed campaign involved spam emails containing a malformed RAR archive file, which, in turn, included a script written in Windows Script Host (WSH) and a Word Document. When opened, this document triggered a process that ran the front-end script, leading eventually to an infection with Formbook malware.
“In theory, this attack just shouldn’t work. But it does because there had been assumptions about how the exploit works that led to a too-narrowly focused patch. It also worked because WinRAR is unique in that it treats any file that contains the correct magic bytes as an archive, no matter where the magic bytes appear in the file. Taken as a whole these led to a set of expectations that weren’t met by the attackers who modified the attack method in this case,” Sophos researchers wrote.
“This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,” they added. “Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button.”