On September 7th, a new vulnerability was discovered in MSHTML that allows attackers to achieve remote code execution (RCE) on targeted assets. RCE vulnerabilities like this one, now released under CVE-2021-40444, are especially dangerous to operations because they allow attackers to take full control of an asset. This exploit uses features of Microsoft Office and Internet Explorer together to deploy malware with little or no user interaction, making it a particularly viable tool in hackers’ arsenal if unmitigated.
Read on for info about the procedure attackers are using or scroll to the bottom to get straight to mitigation.
Attack Vector Overview
Since Microsoft’s announcements about the CVE-2021-40444 exploit, multiple sources have released ‘proof of concept’ videos. No related code has been released yet, but TXOne Networks’ research team has researched, reproduced and documented the methods that attackers are using to take advantage of this exploit.
Methods of attack based on this CVE can be roughly divided into two vectors. The first requires a user to click and accept a prompt that allows RCE, while the second is a zero-click RCE. The key idea for this attack, regardless of vector, is that the Internet Explorer browser downloads and installs an ActiveX package.
The Exploit Process in Detail
Part A: Triggering Internet Explorer
Method 1: Linked-Object Refreshing
This first technique was researched and shared by Rich Warren via his Twitter account. As his video shows, the attack is triggered via an icon embedded in a Microsoft Word document. When clicked by a user, it executes code and allows the attacker to take over the system.
As this picture shows, it’s based on a feature in MS Office. To prepare the file, an attacker creates a binary object by going to Insert > Object… > From File… in MS Office, and entering the URL. When the created object is activated, MS Office makes a network request to the URL to get the current content and then parse it for display. For all requests made using the ‘Link to file’ option, MS Office will always make a network request through the IE engine mshtml.dll to retrieve the content when users click on the icon.
When one uses a tool supporting the OLE2 format to view the document file, a document.xml.rels (XML format) file is visible – this is used to store the information of files imported into Office. The Target field holds the HTML link, and attackers might make this into an mhtml prefix to ensure that the URL will be parsed by Internet Explorer’s low-security mode. Another field TargetMode is set to the value “External”, which is to ensure Office will always fetch content using Internet Explorer.
Method 2: Linked-Bitmap Refreshing
One of the most surprising aspects of exploits based on CVE-2021-40444 is that exploits based on it don’t require user interaction. With a simple click, the malicious document file is activated and attackers have accomplished RCE.
Because the exploit uses a vulnerability based in Internet Explorer, attackers must ensure that the URL is fetched by Internet Explorer’s engine. With this in mind, how can attackers make a zero-click document that launches an IE request automatically when users open it?
The above picture shows sample 53b31e513d8e23e30b7f133d4504ca7429f0e1fe, which is an MS Office document from VirusTotal. The blue-green photo is there to take advantage of a feature in MS Office that runs in the background to refresh the photo automatically from the internet.
Using tools with OLE2 support to view the XML configuration, we can see that this malware sample uses the same tricks we mentioned previously. The Target field is set to the malicious URL that points to the IE exploit page, and TargetMode is set to the value “External”. With these settings, Office automatically launches an IE request to fetch the latest photo content, activating this malicious URL as soon as the malicious document is opened.
Part B: Exploiting MSHTML
The attacker’s goal here is remote code execution, which they achieve by taking advantage of two issues in IE’s browser engine:
- When installing an ActiveX package, IE needs to verify the digital signature of its PE (Portable Executable) modules, so it will first extract all files from the package to the Temp folder at %APPDATA%.
- IE will automatically open the path of the ActiveX package by cloning a new tab and pasting the path to the browser’s address bar.
By leveraging these two issues, attackers can achieve remote code execution. However, few users will use IE as their default browser, so one of the two previously-mentioned MS Office-based techniques (linked-object or linked-bitmap refreshing) is necessary to ensure a target opens the exploit URL via IE’s engine.
A sample making use of this IE exploit can be found on VirusTotal (d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6). When the attacker’s web page is opened, the IE engine will launch an XMLHttpRequest to download a malicious ActiveX package (*.CAB).
Once the download is complete, the IE will immediately extract all files from the package, and malware is now in the file system. After that, IE will try to open the path from the location field of the iframe DOM (Document Object Model) by pasting it into the URL input box. Finally, IE runs control.exe to load the malware DLL module if the URL path starts with “.cpl:”. The inclusion of “.cpl:” is to indicate it’s a plugin of control.exe that should be opened with control.exe.
Note: The necessary path for the malware is unpredictable for attackers because of potential variations in IE’s design, but files downloaded by IE must be placed in the Temp folder. Attackers need to use multiple iframes to brute-force the correct one to achieve code execution.
Remark: ActiveX Signature Verification Bypass
Normally, the IE browser must verify the digital signature of the ActiveX package – malware should be dropped, because it lacks this signature. However, attackers have modified the CFFILE structure of the malware record in the CAB file, causing IE to crash during the extraction. As a result, the extracted malware won’t be removed even if it’s totally not signed.
Thus, when users open an Office document, a user account control (UAC) alert will pop up asking if users want to accept or reject this ActiveX installation. Regardless of what the user chooses, the malware has already been deployed and attackers will be able to take over the computer.
Techniques Mapped by ATT&CK Enterprise
T1587.001, T1588.001 (Malware)
T1587.004, T1588.005, T1588.006 (Exploit)
T1608.001 (Upload Malware), T1608.004 (Drive-by Target), T1608.005 (Link Target)
T1203 (Exploitation for Client Execution)
T1204.001(Malicious Link), T1204.002 (Malicious File)
We’ve released a signature set on 2021/09/09 which immediately mitigates cyber risk to CVE-2021-40444.
Please update to the following signature versions:
EdgeIPS Pro – TM_IPSP_210909_14
EdgeIPS LE – TM_IPSLE_210909_14
EdgeIPS/EdgeFire – TM_210909_15
According to TXOne Networks’ out of cycle (OoC) release for CVE-2021-40444, these are the signatures matching exploits based on this CVE:
- 1139683 MALWARE-C2 Trojan.W97M.CVE202140444.A DNS Query -1
- 1139680 MALWARE-C2 Trojan.W97M.CVE202140444.A DNS Query -2
- 1139681 MALWARE-C2 Trojan.W97M.CVE202140444.A DNS Query -3
- 1139682 MALWARE-C2 Trojan.W97M.CVE202140444.A DNS Query -4
With the pattern update released on September 17th, StellarProtect can detect and resist these exploits based on CVE-2021-40444.
With the pattern update released on September 17th, TMPS3 is able to detect and quarantine malware based on CVE-2021-40444.
Patch from Microsoft
For systems that can be patched, Microsoft has released an update here.
Appendix: Indicators of Compromise (IoCs)