Attackers bypass Microsoft security patch to drop Formbook malware

The patch was issued to prevent the execution of code that downloaded the Microsoft Cabinet archive containing a malicious executable.
Attackers successfully bypass Microsoft’s patch to drop Formbook malware

The patch was issued for CVE-2021-40444 to prevent the execution of code that downloaded the Microsoft Cabinet (CAB) archive containing a malicious executable.




Sophos Labs researchers have shared their findings over how attackers used a novel exploit to bypass a patch for a crucial vulnerability impacting the Microsoft Office file format.

Researchers revealed that the attackers took a proof-of-concept Office exploit available publicly and weaponized it to distribute Formbook malware. The malware was delivered via spam emails for around 36 hours and disappeared later.

It is worth noting that Formbook malware was initially identified in October 2017 stealing sensitive information from critical cyberinfrastructure including Aerospace, Defense Contractors, and Manufacturing sectors in South Korea and the United States.

A Dry Run Experiment?

The vulnerability was tracked as CVE-2021-40444. The patch released by Microsoft was to prevent the execution of code that downloaded the Microsoft Cabinet (CAB) archive containing a malicious executable.

The attackers somehow identified a technique to bypass this patch by embedding a Word document in a specially designed RAR archive. The archives were included in a spam email campaign, which lasted for about 36 hours between 24 and 25 October 2021, indicating that the attack was merely a dry-run experiment.




“The attachments represent an escalation of the attacker’s abuse of the -40444 bug and demonstrate that even a patch can’t always mitigate the actions of a motivated and sufficiently skilled attacker,” researchers noted.

Attackers successfully bypass Microsoft’s patch to drop Formbook malware

For your information, CVE-2021-40444 is also classified as an MSHTML vulnerability that has been exploited throughout this year. In September and November 2021, it was reported that the vulnerability was used in attacks on the Russian Ministry of Interior and State Rocket Center.

In November, it was reported that the vulnerability was exploited to steal login credentials of Gmail and Instagram users through phishing attacks.

PowerShell Script used to Prepend the Word Document

According to Sophos Lab researchers, threat actors associated with this campaign used a PowerShell script to prepend the infected Word file inside the archive. When the victim opened the archive for accessing the documents, this script got executed, leading to the deployment of Formbook malware.




The attack was successful since the patch’s scope was relatively narrow and also because of how the WinRAR manages files having the right magic bytes regardless of the location of these bytes.

 “In theory, this attack approach shouldn’t have worked, but it did,” Sophos principal threat researcher Andrew Brandt stated.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts