Views:

Protection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches when they become available.

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary detection protection that may help provide additional protection and detection of known malicious components associated with these attacks on systems that have not already been compromised or against further attempted attacks.

Using Trend Micro Products for Investigation

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Threat Intelligence Sweeping

Indicators for this exploits against this vulnerability are now included in the Threat Intelligence Sweeping function of Trend Micro Vision One. Customers who have this enabled will now have the presence of the IOCs related to these threats added to their daily telemetry scans.

Intelligence Reports

Preventative Rules, Filters & Detection

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Malicious file samples associated with known exploits of this vulnerability are detected as:

IoC TypeSHA1VSAPI DetectionPredictive LearningPattern Number (VSAPI)
Payload (CAB)56a8d4f7009caf32c9e28f3df945a7826315254cTrojan.Win64.COBEACON.SUZ 16.953.00
Exploited Doc1a528a5964cd18d8ce7a47e69e30ef1163407233Trojan.W97M.CVE202140444.A 16.955.00
Exploited Docd05fc61894cb7652dce69edd6e4cf7e4e639754aTrojan.W97M.CVE202140444.A 16.955.00
Exploited Docf43ebedb86db817b208aebdf88e08163f239b832Trojan.W97M.CVE202140444.A 16.955.00
Exploited Doc53b31e513d8e23e30b7f133d4504ca7429f0e1feTrojan.W97M.CVE202140444.A 16.955.00
Downloaded JSe5f2089d95fd713ca3d4787fe53c0ec036135e92Trojan.JS.TIVEX.A 16.955.00
Payload (DLL)6c10d7d88606ac1afd30b4e61bf232329a276cdcBackdoor.Win64.COBEACON.OSLJAUTROJ.Win32.TRX.XXPE50FLM01116.955.00
Exploited Doc9bec2182cc5b41fe8783bb7ab6e577bac5c19f04Trojan.W97M.CVE202140444.A 16.955.00
Exploited Doc34fe60eedf640ec11742ca9822b4fee48031e19bTrojan.W97M.CVE202140444.A 16.955.00
Payload (DLL)e5f9b523cbe9ebd76fcfd47706254a94ede29c1dBackdoor.Win64.COBEACON.OSLJAUTroj.Win32.TRX.XXPE50FFF04816.957.00
Payload (CAB)9156a06acd3c61cffb2738b521c27ad863e98febBackdoor.Win64.COBEACON.OSLJAU 16.957.00

In addition, the following associated URLs being being blocked via Web Reputation Services (WRS):

URLCategory
hxxp://hidusi[.]com/Malware Accomplice
hxxp://hidusi[.]com/e273caf2ca371919/mountain[.]htmlMalware Accomplice
hxxp://hidusi[.]com/94cc140dcee6068a/help[.]htmlMalware Accomplice
hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]htmlMalware Accomplice
hxxp://hidusi[.]com/e8c76295a5f9acb7/ministry[.]cabMalware Accomplice
hxxps://joxinu[.]comC&C Server
hxxps://joxinu[.]com/hr[.]htmlC&C Server
hxxps://dodefoh[.]comC&C Server
hxxps://dodefoh[.]com/ml[.]htmlC&C Server
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.htmlC&C Server
hxxp://sagoge[.]com/ Malware Accomplice
hxxps://comecal[.]com/ Malware Accomplice
hxxps://rexagi[.]com/ Malware Accomplice
hxxp://sagoge[.]com/get_load Malware Accomplice
hxxps://comecal[.]com/static-directory/templates[.]gifMalware Accomplice
hxxps://comecal[.]com/ml[.]js?restart=false Malware Accomplice
hxxps://comecal[.]com/avatars Malware Accomplice
hxxps://rexagi[.]com:443/avatarsMalware Accomplice
hxxps://rexagi[.]com/ml[.]js?restart=falseMalware Accomplice
hxxps://macuwuf[.]com Malware Accomplice
hxxps://macuwuf[.]com/get_loadMalware Accomplice

Trend Micro is closely monitoring and conducting additional research on these attacks and will update this article with additional information and protections as they become available.

References

Keywords: CVE-2021-40444