Introduction
Microsoft has released patch, mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in MSHTML that affects Microsoft Windows. Exploitation of this vulnerability allows a remote attacker to take control of an affected system by using specially-crafted Microsoft Office documents. This vulnerability has been detected in exploits in the wild.
CVE-2021-40444
An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document, which is typically delivered via phishing email. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
A Docx file comprises of a collection of XML files that are contained inside a ZIP archive. The contents of the Word document can be viewed by unzipping its contents. The extracted contents of the exploit office document is shown below. It contains XML metadata files that contains information about other files available in the archive and as well the actual contents of the document.
The xml file (_rels/document.xml.rels) contains relationship information that tells MS Word where to look for resources, such as images, embedded in the document content. Each relationship is identified by a unique relationship id and specifies the referenced file as target.
In the observed exploit document "A Letter before Court 4", actors crafted the xml document to have an oleObject with the target set as a mshtml file (side.html) hosted in the attacker controller server. MSHTML was primarily used by Internet Explorer, but it is also used by Microsoft Office. This component enables developers to add web browsing functionality to their own applications.
The exploit file side.html contains an obfuscated JavaScript that downloads the CAB file from the attacker-controlled server. The CAB (cabinet) file format was created by Microsoft as a self-installing archive, specifically for ActiveX controls. The deobfuscated side.html file is shown below. It downloads the CAB file using XMLHttpRequest, extracts the payload championship.inf from it, and then executes it. The payload championship.inf is a dll with the extension .inf to avoid detection. During ActiveX installation, the .cab is expanded and the contents are copied to the random folder on the victim machine. Because the attacker is unaware of this path, a path traversal technique is being used to navigate to multiple folders in an attempt to execute the payload.
".cpl:../../../championship.inf" is the activex command used to run the malicious payload. When the commandline parameter .cpl is specified, control is passed to the Windows Control Panel process binary (control.exe), which handles the execution of control panel items. Control.exe then calls rundll32.exe, which calls the API function Control_RunDLL in shell32.exe to execute the payload. Control.exe is being used by the adversary to proxy payload execution (championship.inf). Even if the payload is not a .cpl file, control.exe executes the dll (payload) via its DllEntryPoint. This technique allows any dll to run in the context of the Control Panel.
The payload (championship.inf) that is dropped and executed via the MSHTML vulnerability successfully compromises the victim machine.
Solution
Detecting and Mitigating the MSHTML exploit with FortiEDR
We can observe the pre and post-execution behavior by switching the FortiEDR mode from prevention to simulation. When EDR is set to simulation mode, it allows the payload to fully execute.
Pre-Execution
FortiEDR detects the loading of the malicious file “championship.inf” and prevents it from being executed, as evidenced by the following event.
The Execution Prevention policy in EDR triggers the above event and blocks the execution of the payload.
Post-Execution
The following event is triggered by FortiEDR's real-time detection when the malicious payload (championship.inf) invokes PowerShell.
The automated analysis of FortiEDR lists the process and the command line that are involved in the triggered event.
FortiEDR’s v5 threat hunting telemetry captures the defense evasion behavior as the adversary abuses control.exe to perform proxy execution of the malicious payload (T1218.002).
The payload deletes itself with the PowerShell command "-c "Sleep 5; Remove-Item -Path "C:\Users\WIn-10-x64\AppData\Local\Temp\championship.inf" -Force". This behavior is detected and tagged by the FortiEDR threat hunting telemetry.
MITRE ATT&CK:
The following is the MITRE techniques observed and the mitigation strategies recommended:
TA0002: Execution
|
Technique ID
|
Technique Description
|
Observed Activity
|
|
T1059.001
|
Command and scripting interpreter: PowerShell
|
The malicious payload executes PowerShell script to delete itself after installation.
|
|
Mitigation
|
If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.
|
|
TA0005: Defense Evasion
Technique ID
Technique Description
Observed Activity
T1218.002
Signed Binary Proxy Execution: Control Panel
The adversary abused control.exe to proxy execution of the malicious payload.
Mitigation
Monitor and analyze activity related to items associated with .cpl (control panel) files. Restrict execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.
Technique ID
Technique Description
Observed Activity
T1036
Masquerading
Masquerading occurs when adversary hides program's true filetype by changing the extension of a file for the sake of evading defenses. In this case, the dll payload is named as inf (setup information file) to avoid detection.
Mitigation
Processes executed from binaries containing non-standard extensions in the filename are suspicious.
Threat Hunting
The following queries can be used in FortiEDR v5 Threat Hunting to identify potential anomalous events associated with this intrusion.
To detect the control panel process running potentially malicious and unknown .cpl files:
(Source.Process.Name:(control.exe) and Source.Process.CommandLine: ("*.cpl:*")) or
(Source.Process.Name:(control.exe) and Source.Process.CommandLine: (*.inf*)) or
(Source.process.name:(rundll32.exe) and Source.Process.CommandLine: (*Control_RunDLL*) and Source.Process.CommandLine: (*.inf*))
To detect suspicious child process control.exe launched by windows word process:
Source.Process.Name:(winword.exe) and Target.Process.Name:(control.exe)
To detect PowerShell process launched by the malicious payload:
Source.Process.Name:rundll32.exe and Target.Process.Name:powershell.exe
To detect malicious and suspicious cab file creation by windows word process:
Source.Process.Name:winword.exe and Target.File.Path:("*.cab*")
To detect malicious and suspicious html file read operation by windows word process:
Type: ("File Read") and Source.Process.Name:winword.exe and Target.File.Path:("*.htm*")
IOC
938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (docx)
938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52 (cab)
d0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6 (html)
Mitigations
Refer Microsoft’s advisory to implement the mitigations and workarounds.
Apply Microsoft’s latest security updates (2021-sep) to patch the vulnerability.
References
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts continues to monitor and update this article as new information is discovered.
