Infosec pros with unpatched Windows systems have been warned to watch for signs that threat actors are trying a new way to exploit a Microsoft Office vulnerability to install the Formbook malware.
The alert comes after Sophos discovered someone had taken a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook. The creator then distributed it through spam emails for approximately 36 hours before it disappeared.
Microsoft released a patch in September to prevent attackers from executing malicious code embedded in a Word document that downloads a Microsoft Cabinet (CAB) archive, which, in turn, contains a malicious executable. The vulnerability is named CVE-2021-40444. Sophos researchers discovered that attackers reworked the original exploit by placing the malicious Word document inside a specially crafted RAR archive.
The goal of the “CAB-less” exploit was to evade the patch. However, researchers say the patch will also snuff out the CAB-less attack.
The brief lifespan of the attack could mean it was a “dry run” experiment that might return in future incidents, said Sophos.
“In theory, this attack approach shouldn’t have worked, but it did,” Andrew Brandt, principal threat researcher at Sophos, said in a statement. “The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet [CAB] file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault-tolerant and doesn’t appear to mind if the archive is malformed, for example, because it’s been tampered with.”
Criminals began exploiting the Microsoft MSHTML Remote Code Execution Vulnerability [CVE-2021-40444] at least a week before September’s Patch Tuesday, says the report. But the early mitigations (which involved disabling the installation of ActiveX controls), and the patch (released a week later), were mostly successful at stopping the exploits that criminals had been attempting to leverage to install malware. However, attackers found a way around the patch.
The new exploit’s malicious messages had a subject line like “New request for order,” and were made to appear to come from a so-called Sourcing Specialist for contract negotiations from a company. The attachment, named Profile.RAR, was supposedly a profile of the company.
One defence against this kind of attack is having an anti-malware solution that detects the Formbook malware. Another is training employees to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don’t know.