Microsoft and RiskIQ researchers have uncovered several campaigns using a recently patched Microsoft MSHTML flaw, restating calls for organizations to update impacted systems. The vulnerability was first exploited by the Ryuk ransomware gang, which leveraged the bug ahead of the patch, according to the new research. Microsoft released the fix this week and has urged organizations to install the update as soon as possible. The flaw can be used to hide malicious ActiveX control in Office document attacks.
The researchers analyzed attacks that used MSHTML as part of an initial access campaign that later distributed custom Cobalt Strike Beacon loaders, which communicated with infrastructure associated with multiple cybercriminals campaigns. These include human-operated ransomware, according to Microsoft researchers. RiskIQ found that the ransomware infrastructure potentially belongs to the Russian-speaking Wizard Spider cybercrime group, which is known to maintain and distribute Ryuk ransomware. Microsoft did not point to any specific threat actors exploiting the MSHTML flaw and instead referred to the hackers as development groups, another phrase for an emerging threat group.
Read More: Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang