Select Page

A short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware.

“The attachments represent an escalation of the attacker’s abuse of the CVE-2021-40444 bug and demonstrate that even a patch can’t always mitigate the actions of a motivated and sufficiently skilled attacker,” SophosLabs researchers Andrew Brandt and Stephen Ormandy said in a new report published Tuesday.

CVE-2021-40444 (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents. Although Microsoft addressed the security weakness as part of its September 2021 Patch Tuesday updates, it has been put to use in multiple attacks ever since details pertaining to the flaw became public.

That same month, the technology giant uncovered a targeted phishing campaign that leveraged the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. Then in November, SafeBreach Labs reported details of an Iranian threat actor operation that targeted Farsi-speaking victims with a new PowerShell-based information stealer designed to gather sensitive information.

The new campaign discovered by Sophos aims to get around the patch’s protection by morphing a publicly available proof-of-concept Office exploit and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a “too-narrowly focused patch.”

images from Hacker News