The researchers of the security company Sophos have published details of the new attacks using Microsoft Office programs. As researchers state, the attackers use the CVE-2021-40444 flaw, which has been patched by Microsoft months ago with a different method.
A complicated attack that uses a patched vulnerability
In the patched CVE-2021-40444 flaw, the attackers put Microsoft Cabinet (.cab) files into Office documents to deliver malware payload. After this high-CVSS flaw was patched, the attackers have been trying other methods to inject malware using Office documents.
The new method discovered uses a specially crafted RAR archive. The attackers send an e-mail to victims containing a RAR file with a Word file (.docx) inside. The RAR file, which was named Profile.rar in the attachments, is malformed. It secretly contains a script written in Windows Scripting Host notation, with the malicious word document following the script text.
Interestingly, hackers only tried this attack method for only 36 hours. The researchers of Sophos think that this may be a dry run before further incidents of exploitation. It’s better not to open Office documents that are unusually put into a RAR file for a while.
To read the full documentation by Sophos, click here.