The patch was issued for CVE-2021-40444 to prevent the execution of code that downloaded the Microsoft Cabinet (CAB) archive containing a malicious executable.
Sophos Labs researchers have shared their findings over how attackers used a novel exploit to bypass a patch for a crucial vulnerability impacting the Microsoft Office file format.
Researchers revealed that the attackers took a proof-of-concept Office exploit available publicly and weaponized it to distribute Formbook malware. The malware was delivered via spam emails for around 36 hours and disappeared later.
It is worth noting that Formbook malware was initially identified in October 2017 stealing sensitive information from critical cyberinfrastructure including Aerospace, Defense Contractors, and Manufacturing sectors in South Korea and the United States.
A Dry Run Experiment?
The vulnerability was tracked as CVE-2021-40444. The patch released by Microsoft was to prevent the execution of code that downloaded the Microsoft Cabinet (CAB) archive containing a malicious executable.
The attackers somehow identified a technique to bypass this patch by embedding a Word document in a specially designed RAR archive. The archives were included in a spam email campaign, which lasted for about 36 hours between 24 and 25 October 2021, indicating that the attack