Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets

Khushi Jain

January 25, 2022

On Tuesday, 25th January 2022, cybersecurity researchers Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia. Trellix, a new company created following the merger of security firms McAfee Enterprise and FireEye, said that the attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible. First signs of activity are said to have commenced June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8. The Russia-based APT28 group, the threat actor behind the compromise of SolarWinds in 2020, are thought to be responsible for these attacks with moderate confidence owing to its similarities in the source code as well as in the attack indicators and geopolitical objectives. The execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability (CVE-2021-40444) which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite starts the infection chain. OneDrive is used as the C2 server via the Microsoft Graph API by the DLL executable to retrieve additional stager malware that ultimately downloads and executes Empire, an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.

Abridged fromThe Hacker News