Simulating Microsoft MSHTML CVE-2021-40444 Zero-Day Exploit

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

Picus Labs has updated the Picus Threat Library with attacks that exploit a critical 0-day remote code execution (RCE) vulnerability in MSHTML affecting Microsoft Windows operating systems. 

What is the CVE-2021-40444 Vulnerability?

Microsoft has reported a security update guide for the CVE-2021-40444 vulnerability on September 7, 2021. This zero-day vulnerability is in the MSHTML component of Microsoft Windows. MSHTML is a Windows component that allows web pages to be rendered. 

How do Attackers Exploit the CVE-2021-40444 Vulnerability?

An attacker can create a malicious ActiveX control to be used by the MSHTML browser rendering engine in a Microsoft Office document. After preparing the malicious ActiveX control embedded in an MS Office document, the attacker has to deliver the malicious document to the user. Attackers mostly use the Phishing (MITRE ATT&CK T1566) technique to deliver malicious documents as attachments or links to the document. After that, the user has to open the malicious document to trigger the exploit. 

For example, when the user opens the malicious document (SHA-256: 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52), it downloads an .HTML file (SHA-256: d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6):

The downloaded .HTML file contains a malicious and obfuscated JavaScript payload that creates ActiveX control windows. Then, these ActiveX controls download a .CAB file (SHA-256: 1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00). CAB is an archive file format used in Windows. Then, the malicious payload extracts a .DLL file (SHA-256: 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b) from the .CAB file and opens the extracted file. Actually, this file is a Cobalt Strike beacon.

What is the Impact of CVE-2021-40444 Vulnerability?

CVE-2021-40444 allows unauthenticated attackers to execute arbitrary code on Microsoft Windows. The CVE-2021-40444 vulnerability can be exploited remotely and doesn’t require an admin or privileged account. Accordingly, the CVSSv3 base score for CVE-2021-40444 is 8.8 Critical.  

What is the Current Situation?

As also stated by Microsoft, attackers are exploiting this 0-day vulnerability by using Microsoft Office documents in their targeted attack campaigns. Picus Labs researchers have discovered numerous malicious Microsoft Office documents that include exploit payloads for CVE-2021-40444.

How to Protect Your Organization From CVE-2021-40444 exploits?

Microsoft has not developed a patch yet. 

Microsoft states that Microsoft Office opens documents in Protected View or Application Guard for Office, and both of these security mechanisms prevent the exploitation of the CVE-2021-40444 vulnerability. However, attackers convince users to click the “Enable Editing” button to disable these mechanisms.

Microsoft advises disabling the installation of ActiveX controls in Internet Explorer by updating the relevant registry keys is advised by Microsoft in the security update guide of CVE-2021-40444.

We advise you to simulate  CVE-2021-40444 exploitation attacks and determine whether your security controls can prevent them or not.

How Picus Helps Simulate CVE-2021-40444 Microsoft Office Exploits?

We also strongly suggest simulating  CVE-2021-40444 exploitation attacks to test the effectiveness of your security controls against these attacks using the Picus Continuous Security Control Validation Platform. Picus Threat Library includes the following threats for CVE-2021-40444 vulnerability: 

Picus ID

Threat Name

554589

Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-1

258586

Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-2

331342

Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-3

847861

Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-4

669983

Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .DOCX File Download Variant-5

234950

Microsoft CVE-2021-40444 MSHTML RCE Vulnerability .XML File Download Variant-1

Picus Threat Library also contains 1500+ vulnerability exploitation and endpoint attacks in addition to 10.500+ other threats as of today.

Indicators of Compromise (IOCs)

.DOCX file #1 (A Letter before court 4.docx):

MD5 1d2094ce85d66878ee079185e2761beb

SHA-1 53b31e513d8e23e30b7f133d4504ca7429f0e1fe

SHA-256 938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52

 

.DOCX file #2 (PRD.docx):

MD5 d1837399df37757e5ebd04f45746301a

SHA-1 f43ebedb86db817b208aebdf88e08163f239b832

SHA-256 199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455

 

.DOCX file #3 (Project details (1).docx):

MD5 265be11d746a90d8b6a6f9eda1d31fb7

SHA-1 1a528a5964cd18d8ce7a47e69e30ef1163407233

SHA-256 5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185

 

.DOCX file #4 (App description.docx):

MD5 6f194654557e1b52fb0d573a5403e4b1

SHA-1 d05fc61894cb7652dce69edd6e4cf7e4e639754a

SHA-256 3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf



.DOCX file #5 (court.docx):

MD5 55998cb43459159a5ed4511f00ff3fc8

SHA-1 9bec2182cc5b41fe8783bb7ab6e577bac5c19f04

SHA-256 d0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745

 

.HTML file (side.html):

MD5 4c80dc9fb7483214b1613957aae57e2a

SHA-1 e5f2089d95fd713ca3d4787fe53c0ec036135e92

SHA-256 d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6

 

.CAB file (ministry.cab):

MD5 e770385f9a743ad4098f510166699305

SHA-1 56a8d4f7009caf32c9e28f3df945a7826315254c

SHA-256 1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00

 

.DLL file (payload.dll):

MD5 0b7da6388091ff9d696a18c95d41b587

SHA-1 6c10d7d88606ac1afd30b4e61bf232329a276cdc

SHA-256 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b

 

.XML file (document.xml.rels):

MD5 5890b8eed650223f37bb358c095306f3

SHA-1 7eab2182e3f851ab4cd026ba5f26a59040c0c8bc

SHA-256 049ed15ef970bd12ce662cffa59f7d0e0b360d47fac556ac3d36f2788a2bc5a4