Microsoft MSHTML Remote Code Execution (CVE-2021-40444)

The experts at GoSecure Titan Labs are aware of a new 0-day Remote Code Execution (RCE) vulnerability in Microsoft Windows. Our team of investigators has identified a mitigation and remediation strategy that technology professionals can use to address this emerging challenge swiftly.

This vulnerability has been given the CVE identifier of CVE-2021-40444. This vulnerability uses specially crafted Microsoft Word documents to create an ActiveX control that will execute malicious code upon opening the document. ActiveX is a Microsoft Framework designed to allow applications to share data through web browsers. Released in 1996, it has been criticized for almost a decade. However, ActiveX remains a part of Internet Explorer for backwards compatibility.

This vulnerability has been given the CVE identifier of CVE-2021-40444. This vulnerability uses specially crafted Microsoft Word documents to create an ActiveX control that will execute malicious code upon opening the document. ActiveX is a Microsoft Framework designed to allow applications to share data through web browsers. Released in 1996, it has been criticized for almost a decade. However, ActiveX remains a part of Internet Explorer for backwards compatibility.

Investigation

At the time of our analysis, this website was no longer live, but GoSecure Titan Labs acquired the payload side.html, which is an obfuscated HTML document that downloads ministry.cab from the same domain. Then, it executes this file which has been identified as Cobalt Strike, a popular C2 framework.

Mitigation

New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3' -Name '1004' -Value 3 -PropertyType DWord -Force

Remediation

Conclusion

GoSecure Titan Labs experienced investigators closely monitor, analyze, and reverse engineer the threats we detect each day as part of our Managed Detection and Response (MDR) solutions for clients. Our team has created signatures to detect the emerging threats discussed in this advisory.

If you are experiencing a breach or want to learn more about what Titan Labs can do, contact us today.

Appendix – Indicators of Compromise

[DOMAIN]
hidusi[.]com
pawevi[.]com

[URL]
hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]html
hxxp://hidusi[.]com/e273caf2ca371919/mountain[.]html
hxxp://hidusi[.]com/94cc140dcee6068a/help[.]html
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify[.]html

[HASH]
4c80dc9fb7483214b1613957aae57e2a
e770385f9a743ad4098f510166699305
1d2094ce85d66878ee079185e2761beb
265be11d746a90d8b6a6f9eda1d31fb7
6f194654557e1b52fb0d573a5403e4b1
47794fe00094c04863e49d94ea81dacf
d1837399df37757e5ebd04f45746301a