MSHTML CVE-2021-40444 vulnerability

The vulnerability CVE-2021-40444 affects the MSHTML engine in Internet Explorer.

Initial campaigns exploiting this vulnerability were identified in August 2021. The attack begins with the delivery of malicious emails containing documents crafted specifically to exploit the MSHTML vulnerability. The document uses an external oleObject relationship to embed JavaScript code contained in a referenced HTML file. This code triggers the download of a CAB file containing a DLL with .INF extension, followed by CAB decompression and DLL execution. The DLL retrieves remote shellcode—in this case a Cobalt Strike Beacon—and injects it into the wabmig.exe process.

The Microsoft Threat Intelligence Center (MSTIC) tracks a broad cluster of criminal activity involving Cobalt Strike infrastructure under the designation DEV-0365.

However, due to significant operational differences from DEV-0365, MSTIC attributed the initial CVE-2021-40444 email campaign to a separate cluster designated DEV-0413. This email campaign demonstrated substantially higher targeting precision compared to other malware campaigns attributed to DEV-0365 infrastructure. The initial campaign targeted specific application development organizations, delivering recruitment-themed emails soliciting mobile application developers.

A second email campaign was observed in early September, characterized by significantly lower targeting specificity and employing legal threat subject lines referencing “small claims court.” On 8 September, a proof-of-concept sample exploiting this vulnerability was publicly disclosed. Following this disclosure, we observed multiple threat actors, including ransomware-as-a-service affiliates, incorporating the publicly available proof-of-concept code into their toolkits. Cybersecurity Advisory resources document the rapid weaponization patterns observed across multiple threat clusters during this period.