Dec 25, 2021
0 0

Attackers bypass Microsoft security patch to drop Formbook malware

Written by

Tags, , , , , , , , ,
Super secure VPN
Minimal data logging
Favorable privacy policy

Sophos Labs researchers have shared their findings over how attackers used a novel exploit to bypass a patch for a crucial vulnerability impacting the Microsoft Office file format.
Researchers revealed that the attackers took a proof-of-concept Office exploit available publicly and weaponized it to distribute Formbook malware. The malware was delivered via spam emails for around 36 hours and disappeared later.
It is worth noting that Formbook malware was initially identified in October 2017 stealing sensitive information from critical cyberinfrastructure including Aerospace, Defense Contractors, and Manufacturing sectors in South Korea and the United States.
The vulnerability was tracked as CVE-2021-40444. The patch released by Microsoft was to prevent the execution of code that downloaded the Microsoft Cabinet (CAB) archive containing a malicious executable.
The attackers somehow identified a technique to bypass this patch by embedding a Word document in a specially designed RAR archive. The archives were included in a spam email campaign, which lasted for about 36 hours between 24 and 25 October 2021, indicating that the attack was merely a dry-run experiment.

“The attachments represent an escalation of the attacker’s abuse of the -40444 bug and demonstrate that even a patch can’t always mitigate the actions of a motivated and sufficiently skilled attacker,” researchers noted.
Attackers successfully bypass Microsoft’s patch to drop Formbook malware
For your information, CVE-2021-40444 is also classified as an MSHTML vulnerability that has been exploited throughout this year. In September and November 2021, it was reported that the vulnerability was used in attacks on the Russian Ministry of Interior and State Rocket Center.
In November, it was reported that the vulnerability was exploited to steal login credentials of Gmail and Instagram users through phishing attacks.
According to Sophos Lab researchers, threat actors associated with this campaign used a PowerShell script to prepend the infected Word file inside the archive. When the victim opened the archive for accessing the documents, this script got executed, leading to the deployment of Formbook malware.

The attack was successful since the patch’s scope was relatively narrow and also because of how the WinRAR manages files having the right magic bytes regardless of the location of these bytes.
 “In theory, this attack approach shouldn’t have worked, but it did,” Sophos principal threat researcher Andrew Brandt stated.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Get the best stories straight into your inbox!

Don’t worry, we don’t spam
 App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom. is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.


Article Categories:

Comments are closed.