Microsoft MSHTML Remote Code Execution Vulnerability Threat Intel Advisory

Researchers detected the vulnerability CVE-2021-40444 that targets a remote code execution flaw in MSHTML used to render web content inside Office documents

Updated on

February 27, 2023

Published on

September 9, 2021

Read time

Subscribe to the latest industry news, technologies and resources.

Category	Vulnerability Intelligence
Vulnerability Class	Remote Code Execution
CVE id	CVE-2021-40444
CVSS:3.0 Score	8.8
TLP#	GREEN
Reference	*https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

Microsoft Mandiant, and Expmon researchers have detected a vulnerability, tracked as CVE-2021-40444, that targets a remote code execution flaw in MSHTML, used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents.
The zero-day vulnerability is actively exploited by threat actors and Office users are targeted through client-side attack vectors.
Microsoft has updated Windows Defender Antivirus and Windows Defender for Endpoints to defend against this vulnerability.
Assets can be protected against the attack by following the guidelines recorded in the Impact & Mitigation section of this advisory.

Analysis

Trident, popularly known as the MSHTML, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which has a remote code execution vulnerability (CVE-2021-40444) that attackers are increasingly exploiting to gain code execution on targeted systems. At present, Microsoft has not disclosed the technical details of the vulnerability.

Threat actors craft a malicious ActiveX control which is then used in Office documents that host MSHTML.
The logical flaw in MSHTML is triggered when the user opens the malicious document.
However, Protected View/ Application Guard in Microsoft Office applications is capable of defending against these targeted attacks.
Microsoft has updated Defender for Endpoints, to flag such attacks with an alert that reads “Suspicious Cpl File Execution.”
Microsoft has not released a patch for this zero-day vulnerability, but TTPs (Techniques tactics and procedures) for this vulnerability have been updated in Windows Defender.
Additionally, an official Microsoft advisory that includes a workaround has been included in the following section.

Impact & Mitigation

Impact	Mitigation
Remote code execution allows the attackers to take control of the target system. Initial access to a corporate endpoint may potentially enable lateral movements in the internal network. Nation-state actors leverage client-side zero-day vulnerabilities to compromise information, while ransomware groups use these vulnerabilities to extort money by encrypting user data.	Microsoft guidelines that address the zero-day vulnerability CVE-2021-40444: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Indicators of Compromise

IP/ Domain	hidusi[.]com
	dodefoh[.]com:443
	joxinu[.]com:443
	45.147.229.242
	104.194.10.21
Hashes	D0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745
	049ed15ef970bd12ce662cffa59f7d0e0b360d47fac556ac3d36f2788a2bc5a4
	5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185
	199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455
	3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf
	D0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6
	938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52

Table of Contents

This is also a heading
This is a heading

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services