Microsoft Office zero-day also dubbed MSHTML attack exploited to target Russian government including Interior ministry and State Rocket Center.
Malwarebytes Intelligence team reports that the MSHTML vulnerability classified as CVE-2021-40444 has become the focus of threat actors targeting Russian government entities.
Malwarebytes researchers intercepted phishing email attachments revealing that attackers were trying to target Russian organizations.
The CVE-2021-40444 vulnerability involves ActiveX and is an old flaw, but it was discovered recently, and soon enough, threat actors started sharing its PoCs, tutorials, and exploits on hacking forums to let interested individuals obtain step-by-step instructions about how to launch their own attacks.
Microsoft responded spontaneously by publishing mitigation guidelines, disabling new ActiveX controls installation, and releasing a patch in its latest Patch Tuesday report. However, the patching time is comparatively longer than the time it takes people to exploit the flaw.
Email Template Explanation
The first template Malwarebytes analyzed is created so that it appears like an internal communication within the Joint Stock Company State Rocket Center named after Academician V.P. Makeyev.
According to Malwarebytes, the phishing email states that the HR department is checking employees’ personal data and urges them to fill out a form in the email or reply to the mail. In order to fill out the form, the receiver has to enable editing, which triggers the exploit.
About the Affected Entities
GREC Makeyev is Russia’s strategic defense and industrial complex for the space and rocket industry. This facility is also the country’s main solid and liquid fuel strategic missile system developer. Hence, it is Russia’s one of the leading R&D centers to develop rocket and space technology.
The Russian Ministry of Interior in Moscow is also the target of a similar campaign. Researchers noted that evidence of cybercrimes launched against Russian entities is a rarity. Considering that attackers are targeting the country’s space/rocket developer, it seems likely that a state-sponsored actor is perpetrating these attacks.
How does the Attack Works?
The attack, according to Malwarebytes’ blog post, mainly depends on MSHTML. It loads a specially designed ActiveX control when the receiver opens an infected MS Office document and runs the arbitrary code to infect the system with more malware.
In the malicious email, researchers claim another attachment originated from the Ministry of the Interior in Moscow. This attachment can be used for targeting other promising targets. The document’s title is in the Russian language that reads: “Notification of illegal activity.” The email urges the victim to return the filled-out form within 7 days.
Russia under cyber attacks
Usually, when it comes to cyberattacks, Russia or China are the usual suspects pointed out by the United States and its allies. However lately, Russia has been tackling large-scale cyberattacks including the world’s largest DDoS attack on Yandex earlier this month or 19 DDoS attacks on its electronic voting system in one day just a few days ago.
In August, a new variant of the infamous Konni RAT was caught targeting Russia. In the attack campaign, threat actors targeted economic and political issues between Russia and neighboring countries.