24/7 Emergency – (888)-287-5858 Titan Portal LoginSupportContact UsBlog

Microsoft MSHTML Remote Code Execution (CVE-2021-40444)

by | Sep 10, 2021

The experts at GoSecure Titan Labs are aware of a new 0-day Remote Code Execution (RCE) vulnerability in Microsoft Windows. Our team of investigators has identified a mitigation and remediation strategy that technology professionals can use to address this emerging challenge swiftly.

This vulnerability has been given the CVE identifier of CVE-2021-40444. This vulnerability uses specially crafted Microsoft Word documents to create an ActiveX control that will execute malicious code upon opening the document. ActiveX is a Microsoft Framework designed to allow applications to share data through web browsers. Released in 1996, it has been criticized for almost a decade. However, ActiveX remains a part of Internet Explorer for backwards compatibility.

The experts at GoSecure Titan Labs are aware of a new 0-day Remote Code Execution (RCE) vulnerability in Microsoft Windows. Our team of investigators has identified a mitigation and remediation strategy that technology professionals can use to address this emerging challenge swiftly.

This vulnerability has been given the CVE identifier of CVE-2021-40444. This vulnerability uses specially crafted Microsoft Word documents to create an ActiveX control that will execute malicious code upon opening the document. ActiveX is a Microsoft Framework designed to allow applications to share data through web browsers. Released in 1996, it has been criticized for almost a decade. However, ActiveX remains a part of Internet Explorer for backwards compatibility.

Investigation

To develop this mitigation, GoSecure Titan Labs acquired a weaponized version of the exploit being used by threat actors in the wild. The example exploit Word document is named A Letter before court 4.docx. If this document is opened, it will use Internet Explorer in the background to process code from the external site mhtml:hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]html, which will exploit ActiveX for further code execution.

At the time of our analysis, this website was no longer live, but GoSecure Titan Labs acquired the payload side.html, which is an obfuscated HTML document that downloads ministry.cab from the same domain. Then, it executes this file which has been identified as Cobalt Strike, a popular C2 framework.

Mitigation

To mitigate this potential vulnerability, we recommend you monitor for process creation events of control.exe from Microsoft Office products. Then, disable ActiveX completely until a patch is provided by Microsoft. Use the PowerShell script below to disable ActiveX.
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3' -Name '1004' -Value 3 -PropertyType DWord -Force

Remediation

To address affected machines, we recommend the technology team reset all passwords and re-image the impacted machines. Re-imaging is an important step to ensure that no trace of the malicious code remains.

Conclusion

GoSecure Titan Labs experienced investigators closely monitor, analyze, and reverse engineer the threats we detect each day as part of our Managed Detection and Response (MDR) solutions for clients. Our team has created signatures to detect the emerging threats discussed in this advisory.

If you are experiencing a breach or want to learn more about what Titan Labs can do, contact us today.

Appendix – Indicators of Compromise

[DOMAIN]
hidusi[.]com
pawevi[.]com

[URL]
hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]html
hxxp://hidusi[.]com/e273caf2ca371919/mountain[.]html
hxxp://hidusi[.]com/94cc140dcee6068a/help[.]html
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify[.]html

[HASH]
4c80dc9fb7483214b1613957aae57e2a
e770385f9a743ad4098f510166699305
1d2094ce85d66878ee079185e2761beb
265be11d746a90d8b6a6f9eda1d31fb7
6f194654557e1b52fb0d573a5403e4b1
47794fe00094c04863e49d94ea81dacf
d1837399df37757e5ebd04f45746301a

GoSecure Titan® Managed Extended Detection & Response (MXDR)​

GoSecure Titan® Managed Extended Detection & Response (MXDR)​ Foundation

GoSecure Titan® Vulnerability Management as a Service (VMaaS)

GoSecure Titan® Managed Security Information & Event Monitoring (Managed SIEM)

GoSecure Titan® Managed Perimeter Defense​ (MPD)

GoSecure Titan® Inbox Detection and Response (IDR)

GoSecure Titan® Secure Email Gateway (SEG)

GoSecure Titan® Threat Modeler

GoSecure Titan® Identity

GoSecure Titan® Platform

GoSecure Professional Security Services

Incident Response Services

Security Maturity Assessment

Privacy Services

PCI DSS Services

Penetration Testing Services​

Security Operations

MicrosoftLogo

GoSecure MXDR for Microsoft

Comprehensive visibility and response within your Microsoft security environment

LEARN MORE
GET A QUOTE

USE CASES

Cyber Risks

Risk-Based Security Measures

Sensitive Data Security

Safeguard sensitive information

Private Equity Firms

Make informed decisions

Cybersecurity Compliance

Fulfill regulatory obligations

Cyber Insurance

A valuable risk management strategy

Ransomware

Combat ransomware with innovative security

Zero-Day Attacks

Halt zero-day exploits with advanced protection

Consolidate, Evolve & Thrive

Get ahead and win the race with the GoSecure Titan® Platform

24/7 MXDR FOUNDATION

GoSecure Titan® Endpoint Detection and Response (EDR)

GoSecure Titan® Next Generation Antivirus (NGAV)

GoSecure Titan® Security Information & Event Monitoring (SIEM)

GoSecure Titan® Inbox Detection and Reponse (IDR)

GoSecure Titan® Intelligence

OUR SOC

Proactive Defense, 24/7
LEARN MORE

ABOUT GOSECURE

GoSecure is a recognized cybersecurity leader and innovator, pioneering the integration of endpoint, network, and email threat detection into a single Managed Extended Detection and Response (MXDR) service. For over 20 years, GoSecure has been helping customers better understand their security gaps and improve their organizational risk and security maturity through MXDR and Professional Services solutions delivered by one of the most trusted and skilled teams in the industry.

About Us

Leadership

Board of Directors

Careers

EVENT CALENDAR

Dec 5 CISOMeet Charlotte
View Calendar
GoSec

LATEST PRESS RELEASE

GOSECURE NEWSROOM
REQUEST A MEDIA KIT

GOSECURE BLOG

READ MORE

RESOURCES

Case Studies

Datasheets & Brochures

eBooks

Whitepapers & Reports

Webinars & Podcasts

Videos & Infographics

Technical & User Guides

SEE LIBRARY

SECURITY ADVISORIES

SEE ALL ADVISORIES
 24/7 Emergency – (888)-287-5858