The vulnerability CVE-2021-40444 affects the MSHTML engine of Internet Explorer.
Although the use of Internet Explorer has declined significantly for web browsing, many software applications use it as an internal engine, particularly all Microsoft Office applications (Word and PowerPoint).

This vulnerability enabled the creation of malware that exploits it to compromise systems through the delivery of malicious Microsoft Office documents.

We conducted threat hunting activities to identify potential attacks of this type within monitored networks.

Threat Hunting Activities

Our analyst team conducted threat hunting activities to identify potential compromises related to the described vulnerability.

The first search consists of identifying disk writes of executable files with the .inf extension:

event_platform=win event_simpleName=PeFileWritten
| search FileName="*.inf"
| stats dc(aid) as uniqueSystems, count(aid) as totalWrites values(FilePath) as filePaths by FileName
| sort + totalWrites

The second search allows identification of specific parameters in the command line launched by the rundll32 process within the “control.exe” context, to identify the initiation of early exploitation phases:

event_platform=win event_simpleName=ProcessRollup2 
FileName=rundll32.exe ParentBaseFileName=control.exe
| search CommandLine="*.inf*"
| stats dc(CommandLine) as cmdLineVarations
 dc(aid) as uniqueEndpoints count(aid) as totalExecutions 
values(CommandLine) as commandLines by FileName, ParentBaseFileName

Attack Details

The malicious file can be sent as a Microsoft Office document attached to an email message. Opening the malicious file would initiate the system compromise process.

Microsoft Office uses Protected View and Application Guard for Office to prevent attacks from documents received over the Internet. However, users can click the “Enable Editing” button, thereby disarming Microsoft’s security mechanisms.

The attack begins through the HTML file embedded in the Word document and initiates the download of the “side.html” file.

Subsequently, a .CAB file is downloaded and extracted as a DLL. Finally, the extracted file named “championship.inf” is executed. Execution of this file exploits a directory traversal attack, which consists of exploiting insufficient security validation of user-supplied files. Detection of such activity patterns through Managed SOC capabilities enables rapid identification of post-exploitation indicators.

The final malware payload is a Cobalt Strike beacon that is launched on the victim’s machine.