Russian missile fuel maker targeted with recent Office zero-day

Russian organizations, including a major defense contractor, have been targeted in a suspected cyber-espionage operation that is abusing a recently disclosed Office zero-day.

Security firm Malwarebytes, which first spotted some of the attacks, identified one of the targets as JSC GREC Makeyev, a known developer of liquid and solid fuel for Russia's ballistic missiles and space rocket program.

This looks like an #APT attack that is targeting "JSC Makeyev Design Bureau". (A Russian missile design company)
The #maldoc exploits CVE-2021-40444 to drop a tiny DLL downloader.
The final payload is packed using Themida and uses several anti-analysis techniques.
(Thread 1/3) pic.twitter.com/E1mF5hyENV

— Jazi (@h2jazi) September 16, 2021

The attacks were a classic spear-phishing campaign that sent boobytrapped Office documents to the organization's employees.

The documents, claiming to be Word files from the company's HR department, contained an exploit for CVE-2021-40444, a vulnerability in the old Internet Explorer MHTML component that can be exploited via Office files to run malicious code on unpatched Windows systems and install malware.

"The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit," Malwarebytes researchers explained today.

"The attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware."

Identity of the attackers still unknown

Other Office documents containing the same exploit were also spotted, this time posing as fines for "illegal activity," issued by Russia's Ministry of the Interior.

Malwarebytes said it was unable to link these documents to specific targets and that it is still investigating the identity of the group or groups behind the attacks leveraging the CVE-2021-40444 exploit.

"Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks," the company said today.

Malwarebytes noted that attacks against Russian organizations are generally rare, which the company isn't wrong about.

In May 2021, in a rare report, the FSB said that foreign "cyber mercenaries" had breached several Russian government agencies. Those attacks were later tied to Chinese cyber-espionage groups by security firms like SentinelOne and Group-IB.

Microsoft patched CVE-2021-40444 on September 14, during the September 2021 Patch Tuesday.

Attacks abusing this former zero-day have also targeted Russian telcos, and, according to RiskIQ, an individual associated with the Ryuk/Conti ransomware gang has also started experimenting with this vector.