The recent targeted attacks exploiting the (at the time) zero-day remote code execution vulnerability (CVE-2021-40444) in Windows via booby-trapped Office documents have been delivering custom Cobalt Strike payloads, Microsoft and Microsoft-owned RiskIQ have shared.
The researchers also found connections between the attackers’ exploit delivery infrastructure and an infrastructure previously used by attackers to deliver human-operated ransomware, the Trickbot trojan and the BazaLoader backdoor/downloader.
The attacks and their possible goals
Judging by the email lures used in these attacks, some of the targets were application development organizations.
The targets would receive an email pointing to the exploit documents hosted on file-sharing sites which, once downloaded and opened, would retrieve a custom Cobalt Strike Beacon loader and loads it into the Microsoft Address Book Import Tool.
The exploit made sure that the target wouldn’t be asked to disable Protected Mode in Microsoft Office and that the payload is executed without any user interaction.
According to Microsoft, at least one organization that was compromised by the attackers was months ago compromised with malware that interacted with the infrastructure tied to ransomware operators (WIZARD SPIDER, aka Ryuk) wielding the Ryuk and Conti ransomware.
RiskIQ researchers also noted the connection and explained how they made it.
“Despite the historical connections, we cannot say with confidence that the threat actor behind the zero-day campaign is part of WIZARD SPIDER or its affiliates, or is even a criminal actor at all, though it is possible. If the threat actors were part of these groups, it means they almost surely purchased the zero-day exploit from a third party because they have not previously shown the ability to develop exploit chains of this complexity,” they added.
The limited nature of the attacks, the aforementioned repeated targeting of the same target, and the use of a zero-day seem to point more towards traditional espionage than ransomware attacks with pure monetary goals, though the researchers can’t be sure of the attackers’ goal.
“In this case, the overlap with known ransomware infrastructure could mean one of several things,” they explained.
“First, that the zero-day operators compromised the infrastructure of the ransomware operators. Second, that the criminal operators are allowing the zero-day operators to piggyback on their existing infrastructure. Third, that the zero-day and ransomware operators are one and the same but engaging in espionage instead of financial crime. Finally, it could mean that both entities could be utilizing the same third party providing Bulletproof Hosting services. There is strong ancillary evidence that suggests this is the case.”
CVE-2021-40444 exploitation in the wild
Security researcher Kevin Beaumont said today that he’s only just now starting to detect signs of “in the wild” exploitation of the flaw:
Btw I am starting to see signs of 'in the wild' (i.e. not targeted ransomware) exploitation of this as of this morning. Fairly low volume still.
— Kevin Beaumont (@GossiTheDog) September 16, 2021
Microsoft has delivered patches for CVE-2021-40444 on September 2021 Patch Tuesday and is urging administrators to implement them as soon as possible.
The company has also shared mitigation advice and hunting queries that can be used by admins to see whether their organization has been targeted. RiskIQ has shared domains and IP addresses that have been used in the attacks, so defenders can block them.