Security News > 2021 > December > Attackers bypass Microsoft patch to deliver Formbook malware
Sophos Labs researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability affecting the Microsoft Office file format.
The attackers took a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook malware.
The CVE-2021-40444 vulnerability is a critical remote code execution vulnerability that attackers can exploit to execute any code or commands on a target machine without the owner's knowledge.
A few days later, the company shared how attackers have been exploiting the flaw to deliver custom Cobalt Strike payloads.
"The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft's patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch's remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn't appear to mind if the archive is malformed, for example, because it's been tampered with."
The researchers found that the attackers had created an abnormal RAR archive that had a PowerShell script prepending a malicious Word document stored inside the archive.
News URL
https://www.helpnetsecurity.com/2021/12/22/cve-2021-40444-patch-bypass/
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
- Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections (source)
- Microsoft says premature patch could make Windows Recall forget how to work (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft holds last Patch Tuesday of the year with 72 gifts for admins (source)
- Microsoft Fixes 72 Flaws, Including Patch for Actively Exploited CLFS Vulnerability (source)
- Patch Tuesday: Microsoft Patches One Actively Exploited Vulnerability, Among Others (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-09-15 | CVE-2021-40444 | Path Traversal vulnerability in Microsoft products <p>Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. | 0.0 |