CVE-2021-40444: Similar Techniques Observed + New IoC’s – Oct 15, 2021


On October 14th, the SOC at iSecurity observed an active threat where C2 traffic was attempting to contact beacons to the below-mentioned IP addresses. These IPs have recently been identified on threat lists for facilitating Qakbot and other forms of botnet activity (see references).

Upon further investigation into the initial compromise, the SOC observed AV logs that indicate that the attackers in this instance may have gained initial entry using similar techniques profiled in the recently discovered zero-day vulnerability CVE-2021-40444. In this case, it appears that the threat actors employed JavaScript downloaders to evade detection tools while delivering the malware payload via HTA (HTML application) files, which deploy the malware as soon as the attachment or archive file containing it is opened. As an uncommon file type, malicious HTA files are less likely to be spotted by detection tools.



  • 24[.]231[.]209[.]2[:]2222
  • 69[.]30[.]186[.]190[:]443
  • 23[.]111[.]114[.]52
  • Suspected file found: lip[1].htm
    • Unknown Hash SHA1: 79D142EB9B6522193605547747C8636EF8D8C589

It is recommended that block actions be enabled for these IoC’s. Any indicators of traffic to or from these hosts, or indicators for the presence of the specified file / hash should be cause for further investigation. Also please find below a copy of the original iSecurity bulletin detailing the CVE-2021-40444 zero-day vulnerability and its workarounds that were sent out on September 14th.

Reference Links


Microsoft MSHTML Remote Code Execution Vulnerability (CVE-2021-40444)


Microsoft has published information regarding a zero-day remote code execution vulnerability that exploits MSHTML via a crafted ActiveX control. Successful exploit of MSHTML in this instance raises process privileges allowing it to covertly download malware to the compromised endpoint.

There are no patches available at this time from Microsoft, but mitigation of the vulnerability is possible by closing the vectors of attack by: 1) Disabling ActiveX; and 2) Increasing organizational vigilance for Social Engineering attacks.


Until a patch is available, it is recommended that ActiveX be disabled via Group Policy if possible. To disable ActiveX via Group Policy, complete the following:

In Group Policy settings, navigate to Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page

For each zone, complete the following:

  • Select the zone (Internet Zone, Intranet Zone, Local Machine Zone, or Trusted Sites Zone).
  • Double-click Download signed ActiveX controls and Enable the policy. Then set the option in the policy to Disable.
  • Double-click Download unsigned ActiveX controls and Enable the policy. Then set the option in the policy to Disable.

The initial vector for this vulnerability also hinges on a user likely opening a suspicious Office file containing the crafted ActiveX control. An increased vigilance for social engineering attacks via Microsoft Office products (primarily Word docs sent via email) can therefore further mitigate this vulnerability. This may include redistributing educational materials reiterating the signs of suspicious emails and attachments. These materials may include the following points:

  • Beware of email sent from unknown senders or senders outside the organization (particularly if there is no business case or other context for the communication).
  • Beware of email containing multiple spelling and grammatical errors, or having an overall ‘unprofessional’ ethos.
  • Beware of emails that attempt to elicit a sense of urgency to either divulge information or action on a link or attachment.

Further workaround details can be found here: Security Update Guide – Microsoft Security Response Center

Attack details

Microsoft has yet to reveal the complete details, but we do know that the vector of attack is via a crafted ActiveX control. When accessed (likely by opening a suspicious Word document or another Office file), the MSHTML process privilege is escalated equal to that of the active user. If the user is an administrator or possesses sufficient rights, this will grant the MSHTML process sufficient privilege to request the download of malware to the endpoint.

The attacker’s objective in this instance is to initiate compromise and gain a foothold on the network.

Lastly, to those who are leveraging our 24/7 Healthcare Security Operations Center (SOC) / SIEM, your network is being monitored and we will provide regular updates. To those who are not – please feel free to reach out to raheel.qureshi@isecurityconuslting.com or kees.pouw@isecurityconsulting.com and we will add you to our distribution list.

We will also provide updates to organizations we are servicing through our Incident Response Retainer.

Do not panic but stay safe and protected. We can always connect with you 1-on-1 to provide better guidance on how to gain better visibility into your controls, network, dark web, privileged user access protection and active threat hunting. The landscape around ransomware has evolved as the Healthcare sector is willing to pay ransom and malicious threat actors are now stronger than ever.

Please go ahead and share this with your peers.

For any other questions or concerns, please feel free to reach out to info@isecurityconsulting.com.

Best Regards,

The iSecurity Team