A short-term phishing effort was discovered using a novel vulnerability that circumvents a Microsoft patch to resolve a remote code execution weakness that targets MSHTML parts in order to distribute the Formbook virus. According to Sophos Labs researchers, Andrew Brandt and Stephen Ormandy,
“Attachments indicate an escalation of an intruder’s abuse of the CVE-2021-40444 flaw, demonstrating that even fixes can’t always prevent the behavior of aggressive and well-skilled hackers,”
CVE-2021-40444 is a remote code execution weakness in MSHTML which can be leveraged with specially written Microsoft Office files. As part of the September 2021 Fix on Tuesday release, Microsoft patched security flaws. Applied in a variety of assaults because the specifics of the flaw were made public.
Several other phishing efforts were also discovered earlier this month including a sophisticated phishing effort that leverages this issue to distribute Cobalt Strike Beads on vulnerable Windows systems. Then, in November, Safe Breach Labs published a study revealing Iran’s potential threat activities hitting Persian-speaking users with a novel PowerShell-based data stealer meant to capture sensitive data.
Sophos uncovered a new operation that uses publicly accessible morphing to go beyond patch security. Office exploits as a proof of concept we’ll then use it as a tool to disseminate Formbook malware.