Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY ALERT: Microsoft MSHTML Remote Code Execution Vulnerability Office 365 0-Day (CVE-2021-40444)

    • Updated:
    • 14 Sep 2021
    • Product/Version:
    • Platform:
Summary
On September 7, 2021, Microsoft published a security update with a temporary workaround for an MSHTML Remote Code Execution vulnerability (CVE-2021-40444) that has been observed being exploited against Office 365 in the wild.

MSHTML is a browser rendering engine that is also used by Microsoft Office documents, and the attacks are said to utilize specially-crafted documents that targeted users would have to click.

UPDATE as of September 14, 2021:  Microsoft has updated their advisory to include the patch information released as of 9/14.

Trend Micro also has a blog with more information on this threat.
Details
Public

Protection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches when they become available.

In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary detection protection that may help provide additional protection and detection of known malicious components associated with these attacks on systems that have not already been compromised or against further attempted attacks.
 

Using Trend Micro Products for Investigation

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Threat Intelligence Sweeping

Indicators for this exploits against this vulnerability are now included in the Threat Intelligence Sweeping function of Trend Micro Vision One. Customers who have this enabled will now have the presence of the IOCs related to these threats added to their daily telemetry scans.

image.png
 

Preventative Rules, Filters & Detection

Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Deep Security w/Anti-malware, etc.)

Malicious file samples associated with known exploits of this vulnerability are detected as:
IoC TypeSHA1VSAPI DetectionPredictive LearningPattern Number (VSAPI)
Payload (CAB)56a8d4f7009caf32c9e28f3df945a7826315254cTrojan.Win64.COBEACON.SUZ 16.953.00
Exploited Doc1a528a5964cd18d8ce7a47e69e30ef1163407233Trojan.W97M.CVE202140444.A 16.955.00
Exploited Docd05fc61894cb7652dce69edd6e4cf7e4e639754aTrojan.W97M.CVE202140444.A 16.955.00
Exploited Docf43ebedb86db817b208aebdf88e08163f239b832Trojan.W97M.CVE202140444.A 16.955.00
Exploited Doc53b31e513d8e23e30b7f133d4504ca7429f0e1feTrojan.W97M.CVE202140444.A 16.955.00
Downloaded JSe5f2089d95fd713ca3d4787fe53c0ec036135e92Trojan.JS.TIVEX.A 16.955.00
Payload (DLL)6c10d7d88606ac1afd30b4e61bf232329a276cdcBackdoor.Win64.COBEACON.OSLJAUTROJ.Win32.TRX.XXPE50FLM01116.955.00
Exploited Doc9bec2182cc5b41fe8783bb7ab6e577bac5c19f04Trojan.W97M.CVE202140444.A 16.955.00
Exploited Doc34fe60eedf640ec11742ca9822b4fee48031e19bTrojan.W97M.CVE202140444.A 16.955.00
Payload (DLL)e5f9b523cbe9ebd76fcfd47706254a94ede29c1dBackdoor.Win64.COBEACON.OSLJAUTroj.Win32.TRX.XXPE50FFF04816.957.00
Payload (CAB)9156a06acd3c61cffb2738b521c27ad863e98febBackdoor.Win64.COBEACON.OSLJAU 16.957.00

In addition, the following associated URLs being being blocked via Web Reputation Services (WRS):
URLCategory
hxxp://hidusi[.]com/Malware Accomplice
hxxp://hidusi[.]com/e273caf2ca371919/mountain[.]htmlMalware Accomplice
hxxp://hidusi[.]com/94cc140dcee6068a/help[.]htmlMalware Accomplice
hxxp://hidusi[.]com/e8c76295a5f9acb7/side[.]htmlMalware Accomplice
hxxp://hidusi[.]com/e8c76295a5f9acb7/ministry[.]cabMalware Accomplice
hxxps://joxinu[.]comC&C Server
hxxps://joxinu[.]com/hr[.]htmlC&C Server
hxxps://dodefoh[.]comC&C Server
hxxps://dodefoh[.]com/ml[.]htmlC&C Server
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.htmlC&C Server
hxxp://sagoge[.]com/ Malware Accomplice
hxxps://comecal[.]com/ Malware Accomplice
hxxps://rexagi[.]com/ Malware Accomplice
hxxp://sagoge[.]com/get_load Malware Accomplice
hxxps://comecal[.]com/static-directory/templates[.]gifMalware Accomplice
hxxps://comecal[.]com/ml[.]js?restart=false Malware Accomplice
hxxps://comecal[.]com/avatars Malware Accomplice
hxxps://rexagi[.]com:443/avatarsMalware Accomplice
hxxps://rexagi[.]com/ml[.]js?restart=falseMalware Accomplice
hxxps://macuwuf[.]com Malware Accomplice
hxxps://macuwuf[.]com/get_loadMalware Accomplice

Trend Micro is closely monitoring and conducting additional research on these attacks and will update this article with additional information and protections as they become available.
 

References

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000288999
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.