The same cyber criminals behind Ryuk ransomware were some of the early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of patches released by Microsoft.
Collaborative research has revealed campaigns by Ryuk threat actors early on exploited the flaw, which tracked as CVE-2021-40444. The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The flaw can be used to hide a malicious ActiveX control in an Office document in attacks.
Specifically, most of the attacks that researchers analysed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with infrastructure that is associated with multiple cyber criminal campaigns, including human-operated ransomware.
The campaign used a social engineering lure that aligned with the business operations of those businesses that were targeted, which researchers said, “suggested a degree of purposeful targeting”.
“The campaign purported to seek a developer for a mobile application, with multiple application development organisations being targeted,” they wrote. “In most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.”
Microsoft first revealed the MSHTML zero-day vulnerability on 7th September, to warn organisations of the bug and urging mitigations in separate alerts released that day.
The vulnerability allows attackers to craft malicious ActiveX controls that can be used by a Microsoft Office document that hosts the browser rendering engine. Someone would have to open the malicious document for an attack to be successful, which is why the attackers are using email campaigns with lures that appear relevant to their targets in the hopes that they will launch embedded documents.
Indeed, at least one of the campaigns Microsoft researchers observed included: emails impersonating contracts and legal agreements to trick victims into opening the documents, which distributes the payload.
While it’s clear that ransomware operators are interested in exploiting the MSHTML flaw, however, at this point, researchers said: “We assume there has been limited deployment of this zero-day”. That means that even if known cyber criminals are involved in the attacks, delivering ransomware may not be the ultimate goal of the campaigns.
Instead, researchers believe that the goal of the operators behind the zero-day may be traditional espionage. This goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.
Neuways advises businesses to apply and install the patch Microsoft released last week for the vulnerability and update their systems now before more attacks occur. At the time of writing, the patch has successfully corrected the vulnerability.