Microsoft MSHTML Remote Code Execution (CVE-2021-40444)

by | Sep 10, 2021

The experts at GoSecure Titan Labs are aware of a new 0-day Remote Code Execution (RCE) vulnerability in Microsoft Windows. Our team of investigators has identified a mitigation and remediation strategy that technology professionals can use to address this emerging challenge swiftly.

This vulnerability has been given the CVE identifier of CVE-2021-40444. This vulnerability uses specially crafted Microsoft Word documents to create an ActiveX control that will execute malicious code upon opening the document. ActiveX is a Microsoft Framework designed to allow applications to share data through web browsers. Released in 1996, it has been criticized for almost a decade. However, ActiveX remains a part of Internet Explorer for backwards compatibility.

The experts at GoSecure Titan Labs are aware of a new 0-day Remote Code Execution (RCE) vulnerability in Microsoft Windows. Our team of investigators has identified a mitigation and remediation strategy that technology professionals can use to address this emerging challenge swiftly.

This vulnerability has been given the CVE identifier of CVE-2021-40444. This vulnerability uses specially crafted Microsoft Word documents to create an ActiveX control that will execute malicious code upon opening the document. ActiveX is a Microsoft Framework designed to allow applications to share data through web browsers. Released in 1996, it has been criticized for almost a decade. However, ActiveX remains a part of Internet Explorer for backwards compatibility.

Investigation

To develop this mitigation, GoSecure Titan Labs acquired a weaponized version of the exploit being used by threat actors in the wild. The example exploit Word document is named A Letter before court 4.docx. If this document is opened, it will use Internet Explorer in the background to process code from the external site mhtml:hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]html, which will exploit ActiveX for further code execution.

At the time of our analysis, this website was no longer live, but GoSecure Titan Labs acquired the payload side.html, which is an obfuscated HTML document that downloads ministry.cab from the same domain. Then, it executes this file which has been identified as Cobalt Strike, a popular C2 framework.

Mitigation

To mitigate this potential vulnerability, we recommend you monitor for process creation events of control.exe from Microsoft Office products. Then, disable ActiveX completely until a patch is provided by Microsoft. Use the PowerShell script below to disable ActiveX.
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" -Force
New-Item "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2' -Name '1004' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3' -Name '1001' -Value 3 -PropertyType DWord -Force
New-ItemProperty -LiteralPath 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3' -Name '1004' -Value 3 -PropertyType DWord -Force

Remediation

To address affected machines, we recommend the technology team reset all passwords and re-image the impacted machines. Re-imaging is an important step to ensure that no trace of the malicious code remains.

Conclusion

GoSecure Titan Labs experienced investigators closely monitor, analyze, and reverse engineer the threats we detect each day as part of our Managed Detection and Response (MDR) solutions for clients. Our team has created signatures to detect the emerging threats discussed in this advisory.

If you are experiencing a breach or want to learn more about what Titan Labs can do, contact us today.

Appendix – Indicators of Compromise

[DOMAIN]
hidusi[.]com
pawevi[.]com

[URL]
hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]html
hxxp://hidusi[.]com/e273caf2ca371919/mountain[.]html
hxxp://hidusi[.]com/94cc140dcee6068a/help[.]html
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify[.]html

[HASH]
4c80dc9fb7483214b1613957aae57e2a
e770385f9a743ad4098f510166699305
1d2094ce85d66878ee079185e2761beb
265be11d746a90d8b6a6f9eda1d31fb7
6f194654557e1b52fb0d573a5403e4b1
47794fe00094c04863e49d94ea81dacf
d1837399df37757e5ebd04f45746301a
Titan Managed Detection & Response
Next-Generation Antivirus
Endpoint Detection & Response
Network Detection & Response
Inbox Detection & Response
Insider Threat Detection & Response
Managed Firewall
Managed SIEM
Vulnerability Management as a Service
GoSecure Titan
Titan Software
Secure Email Gateway
Web Security
ResponderPRO Forensics Toolkit
Advisory Services
Breach Readiness Services
Custom Cybersecurity Consulting Services
Cybersecurity Assessment
Incident Response Services
Red & Purple Team Services
Penetration Testing Services
Privacy & Compliance Services
Security Compromise Assessment
3rd Party Technology

Pin It on Pinterest

Share This