{"id":3221,"date":"2021-09-20T13:47:40","date_gmt":"2021-09-20T13:47:40","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3221"},"modified":"2026-06-08T22:54:35","modified_gmt":"2026-06-08T22:54:35","slug":"mshtml-cve-2021-40444-vulnerability","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/mshtml-cve-2021-40444-vulnerability\/","title":{"rendered":"MSHTML CVE-2021-40444 vulnerability"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The vulnerability <strong>CVE-2021-40444<\/strong>&nbsp;affects the <strong>MSHTML<\/strong>&nbsp;engine in Internet Explorer.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Initial campaigns exploiting this vulnerability were identified in August 2021. The attack begins with the delivery of malicious emails containing documents crafted specifically to exploit the <strong>MSHTML<\/strong>&nbsp;vulnerability. The document uses an external <strong>oleObject<\/strong>&nbsp;relationship to embed JavaScript code contained in a referenced HTML file. This code triggers the download of a <strong>CAB<\/strong>&nbsp;file containing a <strong>DLL<\/strong>&nbsp;with .INF extension, followed by CAB decompression and DLL execution. The DLL retrieves remote shellcode\u2014in this case a <strong>Cobalt Strike<\/strong>&nbsp;Beacon\u2014and injects it into the <strong>wabmig.exe<\/strong>&nbsp;process.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2021\/09\/Figure2-attack-chain.png\" alt=\"diagram showing attack chain of DEV-0413 campaign that used CVE-2021-40444\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Source:&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/09\/15\/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability\/\">Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability | Microsoft Security Blog<\/a><\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The Microsoft Threat Intelligence Center (<em><strong>MSTIC<\/strong><\/em>) tracks a broad cluster of criminal activity involving Cobalt Strike infrastructure under the designation <strong>DEV-0365<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">However, due to significant operational differences from DEV-0365, MSTIC attributed the initial CVE-2021-40444 email campaign to a separate cluster designated <strong>DEV-0413<\/strong>. This email campaign demonstrated substantially higher targeting precision compared to other malware campaigns attributed to DEV-0365 infrastructure. The initial campaign targeted specific application development organizations, delivering recruitment-themed emails soliciting mobile application developers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">A second email campaign was observed in early September, characterized by significantly lower targeting specificity and employing legal threat subject lines referencing &#8220;small claims court.&#8221; On 8 September, a proof-of-concept sample exploiting this vulnerability was publicly disclosed. Following this disclosure, we observed multiple threat actors, including ransomware-as-a-service affiliates, incorporating the publicly available proof-of-concept code into their toolkits. <a href=\"https:\/\/fortgale.com\/en\/cybersecurity-advisory\/\">Cybersecurity Advisory<\/a> resources document the rapid weaponization patterns observed across multiple threat clusters during this period.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/security\/blog\/uploads\/securityprod\/2021\/09\/Figure5-Exploitation-attempts.png\" alt=\"Line graph showing volume of observed exploitation attempts\" loading=\"lazy\" \/><figcaption class=\"wp-element-caption\">Source:&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/09\/15\/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability\/\">Analyzing attacks that exploit the CVE-2021-40444 MSHTML vulnerability | Microsoft Security Blog<\/a><\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>MSHTML CVE-2021-40444 technical analysis: ActiveX abuse via Office documents, exploitation chain, mitigation steps and IOC indicators.<\/p>\n","protected":false},"author":1,"featured_media":3244,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[3239,1643,1647,3238,3230],"class_list":["post-3221","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-activex-abuse","tag-cve-2021-40444-it","tag-mshtml-it","tag-office-exploitation","tag-zero-day"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3221","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3221"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3221\/revisions"}],"predecessor-version":[{"id":9884,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3221\/revisions\/9884"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}