Brief phishing attack may have been dry run for exploiting Microsoft Office bug: Sophos

Infosec pros with unpatched Windows systems have been warned to watch for signs that threat actors are trying a new way to exploit a Microsoft Office vulnerability to install the Formbook malware.

The alert comes after Sophos discovered someone had taken a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook. The creator then distributed it through spam emails for approximately 36 hours before it disappeared.

Microsoft released a patch in September to prevent attackers from executing malicious code embedded in a Word document that downloads a Microsoft Cabinet (CAB) archive, which, in turn, contains a malicious executable. The vulnerability is named CVE-2021-40444. Sophos researchers discovered that attackers reworked the original exploit by placing the malicious Word document inside a specially crafted RAR archive.

The goal of the “CAB-less” exploit was to evade the patch. However, researchers say the patch will also snuff out the CAB-less attack.

The brief lifespan of the attack could mean it was a “dry run” experiment that might return in future incidents, said Sophos.

“In theory, this attack approach shouldn’t have worked, but it did,” Andrew Brandt, principal threat researcher at Sophos, said in a statement. “The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet [CAB] file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault-tolerant and doesn’t appear to mind if the archive is malformed, for example, because it’s been tampered with.”

Criminals began exploiting the Microsoft MSHTML Remote Code Execution Vulnerability [CVE-2021-40444] at least a week before September’s Patch Tuesday, says the report. But the early mitigations (which involved disabling the installation of ActiveX controls), and the patch (released a week later), were mostly successful at stopping the exploits that criminals had been attempting to leverage to install malware. However, attackers found a way around the patch.

The new exploit’s malicious messages had a subject line like “New request for order,” and were made to appear to come from a so-called Sourcing Specialist for contract negotiations from a company. The attachment, named Profile.RAR, was supposedly a profile of the company.

Graphic of how a new Microsoft Office attack discovered by Sophos would work
Sophos graphic of CAB-less attack

One defence against this kind of attack is having an anti-malware solution that detects the Formbook malware. Another is training employees to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don’t know.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now