Severity
High
Analysis Summary
A malspam campaign targeting MSHTML remote code execution vulnerability is being exploited in the wild. Threat actors are dropping cobaltstrike payload to infiltrate and gain unauthorized access for their own gain which can lead to information theft. The vulnerability was previously exploited as well via by using specially-crafted Microsoft Office documents.
CVE-2021-40444
Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the MSHTML Platform. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Impact
- Remote code execution
Indicators of Compromise
Filename
EYWCET97LV2U[.]inf
- invoice[.]docx
MD5
- 95e86f13ad08cbf7653ca14ee01a9496
- 936cad45145d0745ffde338ed6492615
- 2c469ff3ad8e37b241bb44cd266356d8
SHA-256
- 12735482351d0b7b5018f46f78b124c2c0c39a8a3479c44e73f646ce1bb49f95
- dd088962eb9e2a6b6e10114d4aecad1b20ca033f6eba1308eb6c0fcd9905cbee
- 8bd0c08fee9f0a70a085b9640f54efeef54304d5ab26645cc3d0b64d322db714
SHA1
- ca9a468ca020b40cf3e4e9f82700ddd5d3426929
- 5b9c8d450f9d6bb7cb8072a89a39fb276971612d
- 49b289387c44a5d738aca7fb127fcfa85b16b6c1
URL
- http[:]//tigerdrill[.]xyz/EYWCET97LV2U[.]html
- http[:]//tigerdrill[.]xyz/EYWCET97LV2U[.]cab
Affected Vendors
- Microsoft
Remediation
Users are advised to use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.