MSHTML Flaw Exploited to Attack Russian Dissidents

A Ukrainian-based threat actor is spearphishing Russians who are using services that have been banned by the Kremlin.

A spearphishing campaign targeting Russian citizens and government entities that are not aligned with the actions of the Russian government is the latest in numerous threats that have emerged since Russia invaded the Ukraine in February.

Researchers from MalwareBytes identified a campaign last week that targets entities using websites, social networks, instant messengers and VPN services banned by the Kremlin, according to a blog post published Tuesday by Hossein Jazi, manager, threat intelligence analyst at MalwareBytes.

Targets are receiving various emails that they will face charges due to this activity, with a lure to open a malicious attachment or link to find out more, Jazi wrote. The messages purport to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation” and the “Federal Service for Supervision of Communications, Information Technology and Mass Communications,” he said.

Infosec Insiders Newsletter

MalwareBytes observed two documents associated with the campaign using the previously identified flaw dubbed MSHTML and tracked as CVE-2021-40444. The flaw, which has been patched, is a remote-code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.

“Even though CVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time we observed an attacker use RTF files instead of Word documents to exploit this vulnerability,” Jazi wrote.

Moreover, the threat actor used a new variant of an MSHTML exploit called CABLESS in the campaign, researchers said. Sophos previously reported an attack that used this variant; however, in that case the actor did not use an RTF file, Jazi observed in the post.

The campaign also deviates from most other cyber threats that have arisen since Russia invaded Ukraine on Feb. 24, which typically tend to attack targets in Ukraine or others sympathetic to the war-torn country’s cause.

Attack Sequence

Researchers intercepted a number of emails being used in campaigns, all of which are in the Russian language. One in particular that they observed is a letter to a target about limitation of access to the Telegram application in Russia, according to the post.

The email includes an RTF with an embedded url that downloads an HTML file that exploits the MSHTML bug, researchers said. The HTML file contains a script that executes the script in Windows Script Host (WSF) data embedded in the RTF file, which contains a JavaScript code that can be accessed from a remote location.

“In this case, this data has been accessed using the downloaded HTML exploit file,” Jazi explained. “Executing this script leads to spawning PowerShell to download a CobaltStrike beacon from the remote server and execute it on the victim’s machine.”

Potentially CarbonSpider at Work?

Researchers are unsure who is behind the campaign but noted the similarity of the lure as one used before and linked to the threat group CarbonSpider, which in the past has targeted Russian financial institutions.

A previous CarbonSpider campaign also used an email template claiming to be from the Federal Service for Supervision of Communications, Information Technology and Mass Communications as a lure, according to the post. In that campaign, the threat actor deployed a PowerShell-based remote-access trojan (RAT) in an obfuscated PowerShell script that used a combination of Base64 and custom obfuscation, according to the post.

Hidden inside the script was a RAT that could move the attack to the next stage and execute various payloads, including a JavaScript, PowerShell, Executable or DLL.

“This RAT starts its activity by setting up some configurations which include the [command-and-control, or C2] URL, intervals, debug mode and a parameter-named group that initialized with ‘Madagascar’ which probably is the alias of the threat actor,” Jazi wrote.

Based on MalwareBytes’ observations of the domains targeted in the campaign, potential victims are from a number of regional and federal government organizations, including: the authorities of the Chuvash Republic Official internet portal; the Russian Ministry of Internal Affairs; the Ministry of Education and Science of the Republic of Altai; the Ministry of Education of the Stavropol Territory; the Minister of Education and Science of the Republic of North Ossetia-Alania; and the Ministry of Science and Higher Education of the Russian Federation.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles