Ransomware Operators Target Developers via Microsoft Vulnerability

According to research published by Microsoft, a new threat actor has been attacking developers by exploiting a vulnerability in MSHTML, tracked as CVE-2021-40444, which has been patched. Developers familiar with or use MSHTML should ensure that the patch has been installed. Microsoft describes that an attacker could “craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.

The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

To gain initial access to victims the attacker made use of Cobalt Strike beacons. Cobalt Strike is a popular penetration testing tool that has been readily adopted and customized by threat actors to be a malicious threat in its own right.

ransomware operators target developers using Microsoft vulnerability

The beacons then communicate with an infrastructure used by several threat actors, including ransomware operators. In describing the observed attack researchers noted,

“The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document. Customers who enabled attack surface reduction rules to block Office from creating child processes are not impacted by the exploitation technique used in these attacks. While these attacks used a vulnerability to access entry point devices and run highly-privileged code, the secondary actions taken by the attackers still rely on stealing credentials and moving laterally to cause organization-wide impact. This illustrates the importance of investing in attack surface reduction, credential hygiene, and lateral movement mitigations. Customers are advised to apply the security patch for CVE-2021-40444 to fully mitigate this vulnerability.”

Researchers believe that the attacks witnessed in August began with emails impersonating contracts and legal agreements. Documents were hosted on third-party filesharing applications, including the malicious document designed to exploit the above-mentioned vulnerability.

The malicious document itself contains an external oleObject relationship to embed exploitative JavaScript within MIME HTML remotely hosted content. The document will retrieve shell code remotely and then loads it into wabmig.exe (Microsoft address import tool.)

Typically, when content is downloaded by an external source Windows will mark the download. The mark is used to determine whether the download was from a trusted service or untrusted. If it is determined that the download is from an untrusted source the operating system will warn the user of this and require the user to disable Protected Mode in Office applications.

This can be seen when users are asked to enable macros, a practice security researchers advise against due to exploitation by attackers. The attack observed by Microsoft researchers differs from this in that the document would open without a web mark and the payload executed immediately. This showed researchers that the vulnerability was used to gain access to the victim’s machine.


Microsoft tracks unidentified threat actors as “development group” and for ease of identification specific groups are given the DEV suffix along with a number. The attacker seen in these attacks is believed to be an unidentified and new threat actor. However, researchers track a large cluster of Cobalt Strike-related activity as DEV-0365.

This can be slightly confusing as the threat actor in this instance is tracked as DEV-0413 but made use of the Cobalt Strike infrastructure tracked by Microsoft. The attacker’s actions managed to get the attacker identified as a separate threat, but Microsoft researchers, in attempting to reduce confusion, explains,

“The infrastructure we associate with DEV-0365 has several overlaps in behavior and unique identifying characteristics of Cobalt Strike infrastructure that suggest it was created or managed by a distinct set of operators. However, the follow-on activity from this infrastructure indicates multiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware). One explanation is that DEV-0365 is involved in a form of command- and-control infrastructure as a service for cybercriminals…Additionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads — activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878.”

The DEV-0413 campaign was identified through its use of CVE-2021-40444 rather than Cobalt Strike. This campaign was determined to be far smaller and targeted than campaigns that typically leverage Cobalt Strike, with the earliest activity of DEV-0413 been seen on August 18. The attacker specifically targeted app developers with email lures pretending to be requests to hire developers for a mobile app.

One victim of DEV-0413 had previously been compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack. It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.

It was also noted that the attacker also used a fake small claims court document designed as a threat in another instance, so the attacker was not solely reliant on targeting developers.

The attacker behind the DEV-0413 campaigns is believed to be an individual, however, follow-on activity suggests that the individual has connections to other threat groups as the Conti ransomware strain was seen being delivered in one instance. Researchers also noted that there are questions as to the attacker’s experience, saying,

“It is worth highlighting that while monitoring the DEV-0413 campaign, Microsoft identified active DEV-0413 infrastructure hosting CVE-2021-40444 content wherein basic security principles had not been applied. DEV-0413 did not limit the browser agents able to access the server to their malware implant or known targets, thereby permitting directory listing for their web server. In doing so, the attackers exposed their exploit to anyone who might have gained interest based on public social media discussion."

The Good News

Fortunately, this week was not all bad news for the InfoSec community. Bitdefender has released a free universal decryptor for Sodinokibi. The decryptor will work for those who have fallen victim to the infamous ransomware gang before July 13. The decryptor can be downloaded directly from Bitdefender.

For some, the July 13 date might seem a little arbitrary but on that date, much of the ransomware gang’s infrastructure went offline mysteriously. Some assumed law enforcement was involved, while others believed that due to several high-profile attacks the gang took the infrastructure offline until the legal heat had subsided.

One of the downsides of this was it left several victims with no way of retrieving encrypted data even though they paid the ransom. This decryptor will now help those victims restore encrypted data.

There is some bad news, as reported by this publication, Sodinokibi appears to be back online. Bitdefender has warned of imminent attacks by the gang and enterprises should look to harden their networks against intrusion.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal