Hackers Using MSHTML 0-Days Exploit To Deploy Cobalt Strike Beacon On Windows

Microsoft announced a targeted phishing campaign that they have detected recently, and this campaign is exploiting MSHTML 0-Days exploit to deploy Cobalt Strike Beacon on Windows.

But, right now at this moment, they have already patched the zero-day vulnerability in the MSHTML platform. In this campaign, the threat actors used especially configured Office documents to expand the Cobalt Strike Beacon to negotiated Windows devices.

The Microsoft Threat Intelligence Center claimed that the threat actors have exploited the “CVE-2021-40444” vulnerability to obtain initial access to networks and to expand custom Cobalt Strike Beacon loaders.

  • CVE: CVE-2021-40444
  • Summary: MSHTML Remote Code Execution Vulnerability
  • CVSS score: 8.8
  • Released: Sep 7, 2021
  • Last updated: Sep 14, 2021

Exploit Delivery Mechanism

After investigating the whole campaign it was identified that the very first campaigns in August 2021 reasonable started from emails representing contracts and different legal agreements.

However, in this kind of agreement, the documents themselves were hosted on file-sharing sites. Apart from this, the exploit document has used an external oleObject relationship with the motive of embedding the exploitative JavaScript within MIME HTML.

These are the remotely hosted content that appears in the following files:-

(1) In the download of a CAB file including a DLL bearing an INF file extension

(2) As well as in the decompression of that CAB file

(3) In the performance of a function within that DLL

DEV-0365 Exploiting CVE-2021-40444

Microsoft is trying to track the cybercriminal, however, the unidentified threat actor works as a “development group” that utilizes a threat actor identifying edifice with a prefix of “DEV.”

It designates an emerging threat group or anomalous activity through the tracking and investigation stages before MSTIC gets high confidence regarding the origin or identity of the threat actor those are behind this operation.

But, the MSTIC tries its best and found a massive cluster of cybercriminal ventures that are involving with the Cobalt Strike infrastructure under the name “DEV-0365.”

Possible detection names

Here’s the list of possible detection names mentioned below:-

  • HEUR:Exploit.MSOffice.CVE-2021-40444.a
  • HEUR:Trojan.MSOffice.Agent.gen
  • PDM:Exploit.Win32.Generic

Also, Kaspersky researchers uncovered several attempts to exploit the CVE-2021-40444 vulnerability targeting companies in the research and development sector, the energy sector and large industrial sectors, banking, and medical technology development sectors, as well as telecommunications and the IT sector.” Kaspersky report says.

Timeline of vulnerability usage 

After knowing some of the key details, MSTIC directly involved the Microsoft Security Response Center and all together they have started to find some mitigation and patch for this campaign. 

While they have also communicated with the actual finder at Mandiant with the motive to reduce the discussion of the issue openly and to avoid drawing threat actor awareness to the issues until and unless they patch the threat.

However, Mandiant partnered with MSTIC and did their own reverse-engineering evaluation, and offered their findings to MSRC. And Microsoft has also released a security advisory for CVE-2021-40444 On September 7, 2021, containing a partial workaround.


Here are some mitigation and recommendations for this attack, that we have mentioned below:- ​

  • Always operates the latest version of your operating systems and applications.
  • Always utilize a supported platform, like Windows 10, to enjoy regular security updates. 
  • Turn on tamper protection in Microsoft Defender for Endpoint, as it will stop malicious modifications to security settings.
  • Facilitate investigation and remediation in full automated mode to enable Microsoft Defender for Endpoint.
  • Always use device discovery to improve your visibility into your network by obtaining unmanaged devices on your network.

There are some infrastructures that have been used by DEV-0413 to host malicious artifacts that have also been involved in the delivery of BazaLoader and Trickbot malware. That’s why every organization should carefully use mitigation, as it will surely help them to bypass such unwanted attacks.

Follow us on LinkedinTwitterFacebook for daily Cybersecurity News & Updates

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.