The researchers of the security company Sophos have published details of the new attacks using Microsoft Office programs. As researchers state, the attackers use the CVE-2021-40444 flaw, which has been patched by Microsoft months ago with a different method.
A complicated attack that uses a patched vulnerability
In the patched CVE-2021-40444 flaw, the attackers put Microsoft Cabinet (.cab) files into Office documents to deliver malware payload. After this high-CVSS flaw was patched, the attackers have been trying other methods to inject malware using Office documents.
The new method discovered uses a specially crafted RAR archive. The attackers send an e-mail to victims containing a RAR file with a Word file (.docx) inside. The RAR file, which was named Profile.rar in the attachments, is malformed. It secretly contains a script written in Windows Scripting Host notation, with the malicious word document following the script text.
Surprisingly, the latest version of WinRAR manages to open the malformed archive while alternative programs and some older versions simply do not.
The exploit triggers as the user uncompresses the Word document and opens it. Microsoft Word immediately contacts a server with a Javascript code, and the code runs the embedded script code in the RAR archive. And that code runs power invokes PowerShell to download a malware executable, a Formbook that collects screenshots and logs keystrokes. But it is possible to use some other executables that are even more dangerous.
Interestingly, hackers only tried this attack method for only 36 hours. The researchers of Sophos think that this may be a dry run before further incidents of exploitation. It’s better not to open Office documents that are unusually put into a RAR file for a while.
To read the full documentation by Sophos, click here.