A newly identified threat, Trojan.W97M.CVE202140444.A, exploits a critical Microsoft Office vulnerability (CVE-2021-40444) to execute remote code through weaponized documents. While current distribution remains limited, its high-impact potential makes it a significant concern for enterprise security teams. The malware typically arrives as a file dropped by other malware or downloaded from compromised websites, leveraging social engineering to trick users into enabling malicious content.
Technical Analysis of the Attack Vector
The Trojan embeds malicious code within Office documents that reference external HTML resources. When opened, these documents trigger the MSHTML vulnerability (CVE-2021-40444) to download and execute payloads without user awareness. The attack chain demonstrates sophisticated use of living-off-the-land techniques, utilizing legitimate Windows components for malicious purposes.
Key technical characteristics include:
- Obfuscated JavaScript that retrieves CAB files containing the payload
- DLL extraction disguised as system files (e.g., championship.inf)
- Execution through carefully crafted path traversal techniques
Payload Delivery and Post-Exploitation
Successful exploitation leads to deployment of Cobalt Strike beacons, providing attackers with persistent access to compromised systems. The payload exhibits several concerning behaviors:
- Establishes command and control (C2) channels to attacker-controlled servers
- Utilizes process injection techniques to evade detection
- Implements network stealth mechanisms including DNS over HTTPS (DoH)
Detection and Mitigation Strategies
Security teams should implement multiple layers of defense against this threat:
- Apply Microsoft’s patch for CVE-2021-40444 immediately
- Configure Office applications to enforce Protected View for internet-downloaded files
- Implement application allowlisting to prevent unauthorized executables
- Monitor for suspicious Office document behaviors (external HTTP requests, large XML relationships)
Indicators of Compromise
| SHA-256 Hash | File Type | Detection Name |
|---|---|---|
| 1fb13a158aff3d258b8f62fe211fabeed03f0763b2acadbccad9e8e39969ea00 | CAB | Trojan.Win64.COBEACON.SUZ |
| 6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b | DLL | Backdoor.Win64.COBEACON.OSLJAU |
Network Indicators:
- hxxp://hidusi[.]com/e8c76295a5f9acb7/ministry[.]cab
- hxxps://joxinu[.]com/hr[.]html
Security Recommendations
Organizations should prioritize these defensive measures:
- Conduct user awareness training about document-based threats
- Implement email filtering for malicious attachments
- Deploy endpoint detection capable of identifying post-exploitation activity
- Maintain rigorous patch management processes
