OXFORD, U.K. — 12月 21, 2021 —

[Update: 12-24-2021, 7:35 am EST - Sophos originally tested the CAB-less exploit on an unpatched system for the research. Sophos later tested the CAB-less exploit on a testbed that had the September 2021 Cumulative Update. In the later test, the malicious Word document tried to connect to the external website hosting the exploit code, but the website was shut down, and we could not complete the test. The research article and press release have been updated accordingly. The updated press release copy is marked in bold.]

Sophos, a global leader in next-generation cybersecurity, today released details of a novel exploit that attempted to bypass a patch for a critical vulnerability (CVE-2021-40444) affecting the Microsoft Office file format. The findings are reported in a new SophosLabs Uncut article, “Attackers test ‘CAB-less 40444’ exploit in a dry run,” that shows how the attackers took a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook malware. The attackers then distributed it through spam emails for approximately 36 hours before it disappeared, according to Sophos researchers.

From CAB to “CAB-less” Exploit

In September 2021, Microsoft released a patch to prevent attackers from executing malicious code embedded in a Word document that downloads a Microsoft Cabinet (CAB) archive, which, in turn, contains a malicious executable. Sophos researchers discovered that attackers have reworked the original exploit by placing the malicious Word document inside a specially crafted RAR archive. The newer, “CAB-less” form of the exploit attempts to evade the original patch.

Sophos data shows that the amended exploit was used in the wild for around 36 hours. According to Sophos researchers, the limited lifespan of the updated attack could mean it was a “dry run” experiment that might return in future incidents.

“In theory, this attack approach shouldn't have worked, but it did,” said Andrew Brandt, principal threat researcher at Sophos. “The pre-patch versions of the attack involved malicious code packaged into a Microsoft Cabinet file. When Microsoft’s patch closed that loophole, attackers discovered a proof-of-concept that showed how you could bundle the malware into a different compressed file format, a RAR archive. RAR archives have been used before to distribute malicious code, but the process used here was unusually complicated. It likely succeeded only because the patch’s remit was very narrowly defined and because the WinRAR program that users need to open the RAR is very fault tolerant and doesn’t appear to mind if the archive is malformed, for example, because it’s been tampered with.”

The Infection Chain

Sophos researchers found that the attackers had created an abnormal RAR archive that had a PowerShell script prepending a malicious Word document stored inside the archive.

The attackers created and distributed spam emails that included the malformed RAR file as an attachment. The emails invited recipients to uncompress the RAR file to access the Word document.  Opening the Word document triggered a process that, on unpatched systems, ran the front-end script, leading eventually to an infection with Formbook malware.

“This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,” said Brandt. “Setting restrictions that prevent a user from accidentally triggering a malicious document can help to protect against such exploits, but people can still be lured into clicking the ‘enable content’ button. It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don't know. If in doubt, always check with the sender or someone in IT.”

The CVE-2021-40444 vulnerability is a critical remote code execution (RCE) vulnerability that attackers can exploit to execute any code or commands on a target machine without the owner’s knowledge. Microsoft released an urgent mitigation followed by a patch in September. Sophos researchers found the 36 hours-campaign featuring the new exploit in late October.

Sophos endpoint products will detect the document files that contain the “CAB-less -40444” exploit as Troj/DocDL-AEOL.

For further information read the article on SophosLabs Uncut.

ソフォスについて

ソフォスは、サイバーセキュリティ業界のリーダー企業として、AI を駆使したプラットフォームや精鋭スタッフによるサービスを世界中の 600,000社以上のお客様にご利用いただいています。セキュリティの成熟度にかかわらず、あらゆるお客様のご要望にお応えし、サイバー攻撃を撃退すべくお客様とともに成長を続けています。機械学習や、自動化、リアルタイムの脅威インテリジェンスに、Sophos X-Ops の最前線スタッフから得た専門知識を組み合わせて、高度な脅威監視、検出、対応を 24時間 365日体制で行っています。
ソフォスは、業界最先端の MDR (managed detection and response) を提供しているのに加えて、エンドポイントをはじめ、ネットワーク、メール、クラウドセキュリティ、XDR (extended detection and response)、ITDR (identity threat detection and response)、次世代の SIEM まで、サイバーセキュリティテクノロジーのあらゆるラインナップを取り揃えています。さらに、専門家によるアドバイザリーサービスも提供しており、組織はこれらを組み合わせて利用することで、リスクをあらかじめ減らし、迅速な対応をとれるようになるだけでなく、進化し続ける脅威の一歩先をいくために必要な可視性および拡張性を確保することが可能となります。
ソフォスは、グローバルに広がるパートナーエコシステムを通じて市場展開しており、お客様は、MSP (Managed Service Provider)、MSSP (Managed Security Service Provider) や、リセラー、ディストリビューターのほか、マーケットプレイスにおける統合、ソフォスのサイバーリスクパートナーまで、信頼できる関係性を自由にお選びいただけます。  ソフォス本社は英国のオックスフォードにあります。詳細については www.sophos.com をご覧ください。