Experts uncovered a phishing campaign using an exploit that bypasses a recent patch developed against an RCE flaw. The exploit allows the attackers to deliver Formbook malware.
What has happened?
According to researchers, skilled attackers are bypassing the CVE-2021-40444 flaw that affects MSHTML components.
The most recent campaign spotted by Sophos Labs bypasses the protection of the patch through a new Office exploit.
Attackers are weaponizing it to deliver the Formbook malware.
Researchers believe that this new attack is possible because the patch was too narrowly focused, it did not address the initial issue entirely.
Modus Operandi
In the recent attack, attackers send the maldoc in a specially crafted RAR archive.
The modified exploit (CAB-less 40444) existed for 36 hours between October 24 and 25, during which spam emails laden with malformed RAR archive files were sent to the victims.
The RAR file is loaded with a script that is written in Windows Script Host along with a Word Document.
When opened, it communicates with a remote server hosting malicious JavaScript code.
The JavaScript code uses Word Document to launch WSH script and runs PowerShell command in the RAR file to obtain Formbook malware payload from an attacker's website.
Recent attacks
Although Microsoft had fixed the security issue as part of its September 2021 Patch Tuesday updates, the flaw has still been exploited in numerous attacks ever since details regarding the flaw became public.
In the same month, Microsoft discovered a targeted phishing campaign abusing the vulnerability to deploy Cobalt Strike Beacons on targeted Windows systems using Office documents.
In November, SafeBreach Labs provided details on Iranian threat actor operation aimed at Farsi-speaking victims. It was using a new PowerShell-based information stealer collecting information.
Conclusion
While security patches do help plug known security loopholes, this is one of those exceptional cases. Organizations are recommended to regularly educate their employees and teach them to identify phishing emails. People should be suspicious of email documents coming within an archive or unknown formats.