Security News > 2021 > September > Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang

Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by Microsoft this week.

Collaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as CVE-2021-40444.

Specifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns-including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center reported.

RiskIQ identified the ransomware infrastructure as potentially belonging to the Russian-speaking Wizard Spider crime syndicate, known to maintain and distribute Ryuk ransomware.

The vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft.

At least one of the campaigns Microsoft researchers observed included emails impersonating contracts and legal agreements to try to trick victims to opening the documents to distribute the payload. Though it's not completely certain if Wizard Spider is behind some of these early attacks, it's clear that ransomware operators are interested in exploiting the MSHTML flaw, according to RiskIQ. However, at this point, "We assume there has been limited deployment of this zero-day," researchers wrote.

News URL

https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/