top of page
GenerativeAI_728x90 (4).png


  • Matthew Spencer - Tech Journalist

Formbook malware injected in the Microsoft Office patch: RAT detected even after the update

Though the year 2022 started brilliantly with less news on viruses and malware, it didn’t vanish all of a sudden. Remote executions and keylogging malware are still bypassing as we talk about it. One of the most popular productivity applications, Microsoft Office, was suffering from one. Though the development team patched it, hackers still bypassed the update.

MSHTML affects Microsoft Windows as a remote code execution vulnerability and is currently under investigation. The company is aware of the exploit and said it is ‘specially-crafted’ for Microsoft Office documents.

The attacker zips an MS word document and mails it to the potential victim in this process. Not everyone will open a random zip file appearing in the mail, but a few who open it will not know the vulnerability. Mass file transfer with popular API’s or data grabbing hooks, the attacker will send the file.

The CVE-2021-40444 is titled ‘Fully Weaponised’ remote code execution malware. It can be openly found on GitHub. A user published his experience on making the test environment for the hidden code execution malware only requiring Microsoft Office, Python3, VS Code, and process monitor. Process monitor is only for spectating behind the screen, and Python3 helps start a simple HTTP server.

According to news publishers, it is a dry run for a more comprehensive campaign’, raising some eyebrows. At Sophos, security researchers found the exploit. How come the exploit remains vulnerable after a dedicated team of renowned companies fixes it. The mechanism uses MS Word documents to download Microsoft Cabinet (CAB) archive. It contains a malicious payload previously scripted by an attacker.

According to Microsoft’s blog post, the ‘ActiveX control’ is used by MS Office and makes a browser rendering engine. The attacker has to convince victims to pen the document, asking for administrative user rights.

Microsoft said the Defender and Endpoint security systems could detect and protect from known vulnerabilities. Keeping software and operating system security essentials up to date is a great way. But that’s not how the exploit enters the system. It enters as a vanilla zipped file containing a Word document.

Global Threat Index 2021 revealed tons of interesting information regarding Formbook as it remains one of the most prevalent malware. Qbot, a banking trojan, was very popular throughout the year, and during summer, it took a break. Since then, it did not make any headlines, but its cousin Remcos, a remote access trojan (RAT), climbed up the ladder. Removing Qbot from the 10-malware list is not an easy task, but another variant came forward with the malware’s ease.

On September 14, 2021, Microsoft’s security update to address the vulnerability remained quite an underdog. Officials announced immediate update requirements to fix the issue but bypassed found ways to exploit it nevertheless.

When a Microsoft Office document opens, it is in protected view or read-only view by default. The guard is already there. But is it coming from a trusted source? If the answer is yes, then the possibility of being remotely executed goes way down. But what if you’re feeling extra curious about a file that suddenly landed on your spam folder? The reflex should be immediate deletion.

Principal threat researcher at Sophos Andrew Brandt said the theory of this attack “shouldn’t have worked.”

RAR files are not protected themselves. They are created in a format that helps punch in a whole variant of files in one folder, making it easy to transfer. Malicious attackers use the same principle to attach a payload, giving them remote execution ability on victim computers.

As many people browse the web every day and interact with documents, they should be extra careful not to mix up file receivers.


bottom of page