2021’s 0-Day MSHTML: Let's Defend Lab
CVE-2021–40444 Lab
Last updated
CVE-2021–40444 Lab
Last updated
Hello, budding blue teamers.Welcome to this latest blog entry, where I will be wading deep into the 'Malware Analysis' path on Let's Defend and attempting to solve the 2021’s 0-Day MSHTML lab.
Challenge credits go to Bohan Zhang and malware sample provision by MalwareBazaar
Let's analyze some malware!
NOTE: Always remember to investigate challenges from Let's Defend, on a VM.
We are given a 'Challenge' file to analyze. Proceed to download the file
Unzip the file, with password: infected
Upon unzipping, we get a directory called ‘Challenge_FIles’, with 4 files
Q) Examining the Employees_Contact_Audit_Oct_2021.docx file, what is the malicious IP in the docx file?
Targetting the ‘Employees_Contact_Audit_Oct_2021.docx’ file, let's run a strings search over it
Command — strings Employees_Contact_Audit_Oct_2021.docx
Unable to find any IP’s from the resulting output, the next resort would be to use the Hybrid-Analysis tool
After uploading the file to be analyzed, we can see its malicious level on test sandboxes
Scrolling down, we proceed to check extracted strings from the file
We can see an IP mentioned here — 175.24.190.249
Scrolling up, we can see the connection traffic from this IP
Since this is the only IP extracted from the malware file, coupled with its suspicious traffic traces, we can confirm this as the answer
A) 175.24.190.249
Q) Examining the Employee_W2_Form.docx file, what is the malicious domain in the docx file?
Running a strings analysis over this file did not reveal the malicious domain that we needed
Uploading this file onto Hybrid-Analysis, we get to see its malicious level
Now observing extracted strings from this file
A domain by the name arsenal.30cm.tw is found and fits the answer format
A) arsenal.30cm.tw
Q) Examining the Work_From_Home_Survey.doc file, what is the malicious domain in the doc file?
Running the Work_From_Home_Survey.doc file on Hybrid-Analysis
The severity of malicious content is shown below
Reading through the metadata of the file, we can see that the file supposedly contacts a domain
Clicking on ‘View all details’
A domain named ‘trendparlye.com’ pops up here Opening AlienVault’s assessment on this domain gives us the following information
This means that the domain is malicious
A) trendparlye.com
Q) Examining the income_tax_and_benefit_return_2021.docx, what is the malicious domain in the docx file?
We proceed to run the income_tax_and_benefit_return_2021.docx file on the Hybrid-Analysis tool
Malicious severity of file can be observed below:-
Having a look at the extracted strings section, this file has contacted an external domain too.
Let’s check the domain out - 'hidusi.com'
Looking up the domain on AlienVault
A) hidusi.com
Q) What is the vulnerability the above files exploited?
Throughout the analysis of each suspicious file, I had been collecting their SHA-256 hashes, which are listed below:-
(Employees_Contact_Audit_Oct_2021.docx)
SHA 256 Hash — 8aaa79ee4a81d02e1023a03aee62a47162a9ff04
(Employee_W2_Form.docx file)
SHA 256 Hash — 00087e46ec0ef6225de59868fd016bd9dd77fa3c
(income_tax_and_benefit_return_2021.docx)
SHA 256 Hash — 9bec2182cc5b41fe8783bb7ab6e577bac5c19f04
(Work_From_Home_Survey.doc)
SHA 256 Hash — 4b35d14a2eab2b3a7e0b40b71955cdd36e06b4b9
Running any of these hashes on VirusTotal and checking out the ‘Community’ section gives us the answer that we are dealing with the CVE-2021–40444 known as MSHTML RCE Vulnerability (if it was not already obvious from the title of this challenge!)
Let’s take the help of the hint, to find the answer format
A) CVE-2021–40444
Lookups of real-world malware samples made me enjoy the time spent practicing this room. This will be an almost daily occurrence when eventually stepping into the shoes of a SOC Analyst, which I aspire to be
Thank you for devouring this blog entry and stay tuned as I try to close down more SOC alerts……
My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day
Let your opinion about this write-up be known, by selecting any one of the emojis below!