Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware

Pierluigi Paganini December 23, 2021

Crooks discovered how to bypass the patch for a recent Microsoft Office vulnerability (CVE-2021-40444) and are using it to distribute Formbook malware.

Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability tracked as CVE-2021-40444 (CVSS score of 8.8). The bad news is that threat actors are using it to distribute the Formbook malware.

The CVE-2021-40444 is a remote code execution security flaw that affected the MSHTML file format.

the security defect can be exploited to achieve remote code execution on vulnerable systems. An attacker looking to exploit the bug needs to trick the indented victim into opening a maliciously crafted document.

In September Microsoft warned of multiple threat actors, including ransomware operators, that were exploiting the Windows MSHTML remote code execution security flaw in attacks against organizations.

The IT giant said that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, threat actors used weaponized Office documents. The campaigns observed in August 2021 employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites. 

Microsoft addressed the flaw with the release of Microsoft Patch Tuesday security updates for September 2021.

The availability of Proof-of-concept exploit code for this vulnerability caused a spike in attacks attempting to exploit this issue.

In the initial attacks observed by the researchers, the malicious code downloads a Microsoft Cabinet (CAB) archive containing a malicious executable. The patch developed by Microsoft prevents the execution of the code to download the CAB archive, but now threat actors are bypassing the patch by incorporating a Word document in a specially crafted RAR archive.

“In the initial versions of CVE-2021-40444 exploits, malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file. When Microsoft’s patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially-crafted RAR archive.”reads the analysis published by Sophos. “Because it doesn’t actually use the CAB-style attack method, we’ve called it the CAB-less 40444 exploit.”

MSHTML cabless-infographic-final4

Sophos researchers observed threat actors spreading the RAR archives through a malspam campaigns that lasted for roughly 36 hours, on October 24 and 25. After October 25, the threat actors halted its campaign, a circumstance that suggets the attackers were conducting a “dry run” experiment.

The spam messages use an archive file named Profile.rar, the characteristic of this archive is that had been malformed. Attackers prepended to the RAR file a script written in Windows Scripting Host notation, with the malicious Word document immediately following the script text.

Upon opening the archive to access the document, the script is executed to drop the Formbook malware on the victim’s system.

Experts explained that in theory, this attack just shouldn’t work. However, it works because there had been assumptions about how the exploit works that led to a too-narrowly focused patch. It also worked because WinRAR treats any file that contains the correct magic bytes as an archive, no matter the position of the magic bytes in the file.

“The attachments represent an escalation of the attacker’s abuse of the -40444 bug and demonstrate that even a patch can’t always mitigate the actions of a motivated and sufficiently skilled attacker,” Sophos concludes.

“One thing that we noticed in the course of this investigation is that WinRAR’s ability to function with these modified rar archive files was limited to recent editions of the program. When we originally tested this on a testbed machine, the version of WinRAR installed on it (3.61) could not open the archive, throwing an error that indicated it was (correctly) not in its proper form.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-40444)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment