Dec 23 2021

Crooks bypass a Microsoft Office patch for CVE-2021-40444 to spread Formbook malware

Category: App Security,MalwareDISC @ 9:40 am

Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability tracked as CVE-2021-40444 (CVSS score of 8.8). The bad news is that threat actors are using it to distribute the Formbook malware.

The CVE-2021-40444 is a remote code execution security flaw that affected the MSHTML file format.

the security defect can be exploited to achieve remote code execution on vulnerable systems. An attacker looking to exploit the bug needs to trick the indented victim into opening a maliciously crafted document.

In September Microsoft warned of multiple threat actors, including ransomware operators, that were exploiting the Windows MSHTML remote code execution security flaw in attacks against organizations.

The IT giant said that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, threat actors used weaponized Office documents. The campaigns observed in August 2021 employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites. 

Microsoft addressed the flaw with the release of Microsoft Patch Tuesday security updates for September 2021.

The availability of Proof-of-concept exploit code for this vulnerability caused a spike in attacks attempting to exploit this issue.

In the initial attacks observed by the researchers, the malicious code downloads a Microsoft Cabinet (CAB) archive containing a malicious executable. The patch developed by Microsoft prevents the execution of the code to download the CAB archive, but now threat actors are bypassing the patch by incorporating a Word document in a specially crafted RAR archive.

Learning Malware Analysis

Tags: Learning Malware Analysis, Microsoft Office patch