Researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability CVE-2021-40444 affecting the Microsoft Office file format. The attackers took a publicly available PoC of an Office exploit and weaponized it to deliver Formbook malware. The attackers then distributed it through spam emails for approximately 36 hours before it disappeared.
CAB to “CAB-less” exploit
The CVE-2021-40444 vulnerability is a critical RCE vulnerability that attackers can exploit to execute any code or commands on a target machine without the owner’s knowledge. Microsoft released an urgent mitigation followed by a patch in September followed by the methods of exploiting the flaw to deliver custom Cobalt Strike payloads
Researchers discovered that attackers have reworked the original exploit by placing the malicious Word document inside a specially crafted RAR archive. The newer, “CAB-less” form of the exploit successfully evades the original patch.
The exploit was used in the wild as a trial run. The limited lifespan of the updated attack could mean it was a “dry run” experiment that might return in future incidents.
The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft’s patch closed that loophole, attackers discovered a PoC shows how to bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn’t appear to mind if the archive is malformed, for example, because it’s been tampered with.
Chain of Infections
The researchers found that the attackers had created an abnormal RAR archive that had a PowerShell script prepending a malicious Word document stored inside the archive.
The attackers created and distributed spam emails that included the malformed RAR file as an attachment. The emails invited recipients to uncompress the RAR file to access the Word document. Opening the Word document triggered a process that ran the front-end script, leading eventually to an infection with Formbook malware.
Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the ‘enable content’ button. It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don’t know. If in doubt, always check with the sender or someone in IT.
Indicators of Compromise