MSHTML Attack Targets Russian State Rocket Centre and Interior Ministry

 

An MSHTML vulnerability listed under CVE-2021-40444 is being used to target Russian entities, as per Malwarebytes. 

Malwarebytes Intelligence has detected email attachments directed especially against Russian enterprises. The first template they discovered is structured to resemble an internal communication within JSC GREC Makeyev. 

The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic asset of the country's defence and industrial complex for both the rocket and space industries. It is also the primary manufacturer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia's largest research and development centres for developing rocket and space technology. 

The email purports to be from the organization's Human Resources (HR) department. It stated that HR is conducting a check of the personal information given by workers. Employees are asked to fill out a form and send it to HR, or to respond to the email. 

When the recipient wishes to fill out the form, they must allow editing. And that action is sufficient to activate the exploit. When the target opens a malicious Office document, MSHTML loads a specially designed ActiveX control. The loaded ActiveX control can then execute arbitrary code to attack the machine with further malware. 

The second file, Malwarebytes discovered appears to be from Moscow's Ministry of the Interior. The attachment may be used to aim at a variety of fascinating targets. The documents' title translates to "Notification of illegal activity." 

It requests that the recipient complete the form and submit it to the Ministry of Internal Affairs, or respond to the email. It also encourages the targeted victim to do so within seven days. 

Malwarebytes further stated, they seldom come across proof of cybercrime against Russian targets. Given the targets, particularly the first, they think a state-sponsored actor is behind these assaults, and are investigating the source of the strikes. 

Vulnerability Patch

The CVE-2021-40444 vulnerability is rather outdated in nature (it involves ActiveX) however, it was just recently discovered. It wasn't long before threat actors were posting proofs-of-concept, tutorials, and exploits on hacker forums, allowing anybody to conduct their own assaults by following step-by-step instructions.

Microsoft immediately issued mitigation instructions that blocked the installation of new ActiveX controls and managed to squeeze a fix into its most recent Patch Tuesday release, just a few weeks after the flaw was made public. 

The time it takes to build a patch, on the other hand, is frequently overshadowed by the time it takes users to apply it. Organizations, particularly large ones, are frequently discovered to be far behind in patching, thus the chances of more cyberattacks like these increase.