by Bhabesh Raj Rai, Associate Security Analytics Engineer
On September 7, 2021, Microsoft released an advisory on a zero-day (CVE-2021-40444) vulnerability in Microsoft MSHTML that adversaries are actively exploiting through Microsoft Office documents. Microsoft has provided workarounds as temporary mitigation until they release a patch.
The zero-day is a remote code execution vulnerability in MSHTML, which is Microsoft’s proprietary browser engine for Internet Explorer. Adversaries are embedding malicious ActiveX controls in Microsoft Office documents that host the browser rendering engine. Victims only need to open the malicious documents for adversaries to get inside the network.
Even though Microsoft stated that Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack, the RTF attack vector is still open for exploitation. Adversaries can use several other bypasses for Protected View. Regardless, administrators should ensure they have Protected View enabled.
Trend Micro has observed Cobalt Strike beacons being delivered after attackers exploit the flaw. LogPoint customers can refer to our blog on detecting Cobalt Strike activity in their environment.
Detecting exploitation of the zero-day in LogPoint
Successful exploitation of the zero-day vulnerability via Office documents results in the spawning of control.exe by Office, which analysts can hunt for in process-creation events.
label="Process" label=Create
"process"="*\control.exe" parent_process IN ["*\winword.exe", "*\excel.exe", "*\powerpnt.exe"]-command="*\control.exe input.dll"
Administrators can take a closer look at suspicious domains contacted by Office using Sysmon’s registry events. LogPoint customers can refer to our base sysmon configuration to detect benign and advanced threats.
norm_id=WindowsSysmon event_id=13
image IN ["*\winword.exe", "*\excel.exe", "*\powerpnt.exe"]target_object="*\EnableBHO"
Microsoft has stated that both Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect malicious files as long as the definitions are up-to-date. Organizations using only Microsoft Defender for Endpoint should ensure that they have placed their EDR in block mode.
label=Threat label=Detect threat="TrojanDownloader:O97M/Donoff.SA"
We advise administrators to perform an enterprise-wide IoC sweep to check if their organizations have been targeted.
(domain IN ["joxinu.com", "hidusi.com", "dodefoh.com", "macuwuf.com"]OR query IN ["joxinu.com", "hidusi.com", "dodefoh.com", "macuwuf.com"])
The serious flaw requires proactive hunting
Detecting post-exploitation activity is one way that defenders can detect possible exploitation of zero-day vulnerabilities in their environment. The flaw is very serious and we expect attackers to use it extensively for many years. Since no patch is yet available and bypasses are available for the mitigations, enterprise defenders must remain vigilant and proactively hunt for threats in their network.