Spying on Government and Defense Targets Using MSHTML Flaw

Spying on Government and Defense Targets Using MSHTML Flaw

Short News:-

Microsoft OneDrive is being used as a command and control (C2) server in the attack. Virus can remain undetected in victims' PCs since it only communicates with genuine Microsoft domains. The clandestine operation is claimed to have begun as early as June 18, 2021.

Detailed News:-

On Tuesday, a multi-stage espionage campaign targeting high-ranking government officials in Western Asia and individuals in the defense industry was revealed by cybersecurity researchers.

Microsoft OneDrive is being used as a command and control (C2) server in the attack, which can be broken up into as many as six phases, according to Trellix, a new business formed by the merging of McAfee Enterprise and FireEye.

In this way, the virus can remain undetected in victims' PCs since it only communicates with genuine Microsoft domains and does not produce any abnormal network traffic, according to Trellix. "

At least two victims have already been reported on September 21 and 29, and the clandestine operation is claimed to have begun as early as June 18, 2021, according to reports. From October 6 to 8, another 17 victims have been reported in just three days.

Based on similarities in the source code, attack indicators, and geopolitical aims, Trellix ascribed the attacks with intermediate confidence to the Russia-based APT28 organization, the threat actor responsible for the hack of SolarWinds in 2020.

According to Trellix security expert Marc Elias, "we are completely certain that we are dealing with a very experienced actor based on how infrastructure, malware coding, and operation were put up.

An exploit for the MSHTML remote code execution vulnerability (CVE-2021-40444) is utilized to run a malicious binary that works as a downloader for Graphite, a third-stage virus. The infection chain begins with the execution of a Microsoft Excel file.

An open-source PowerShell-based post-exploitation framework, Empire, is downloaded and executed by the DLL executable as the C2 server via the Microsoft Graph API. This is how threat actors leverage OneDrive as their C2 server.

As a matter of fact, Microsoft and SafeBreach Labs have revealed various campaigns that have exploited the MSTHML rendering engine issue to plant malware and deploy modified Cobalt Strike Beacon loaders.