Description of Campaign
A remote code execution vulnerability in Microsoft Windows is being exploited by threat actors. The zero-day flaw lies in the MSHTML component and is classified under CVE-2021-40444. Successful exploitation could allow a remote actor to execute arbitrary code. A malicious ActiveX control along with a malicious document could be used by an actor to carry out the attack.

The McAfee Enterprise ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports.
This campaign was researched by Microsoft and shared publicly here.

How to use this article:

1. If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign. 
2. Review the product detection table and confirm that your environment is at least on the specified content version.
   To download the latest content versions, go to the Security Updates page.
3. Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
4. Review KB91836 - Countermeasures for entry vector threats.
5. Review KB87843 - Dynamic Application Containment rules and best practices.
6. Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.

Threat Hunting:

YARA

rule EXPL_CVE_2021_40444_Document_Rels_XML { meta: description = "Detects indicators found in weaponized documents that exploit CVE-2021-40444" author = "Jeremy Brown / @alteredbytes" reference = "https://twitter.com/AlteredBytes/status/1435811407249952772" date = "2021-09-10" strings: $b1 = "/relationships/oleObject" ascii $b2 = "/relationships/attachedTemplate" ascii $c1 = "Target=\"mhtml:http" nocase $c2 = "!x-usc:http" nocase $c3 = "TargetMode=\"External\"" nocase condition: uint32(0) == 0x6D783F3C and filesize < 10KB and 1 of ($b*) and all of ($c*) }

This Knowledge Base article discusses a specific threat that is being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.
 
Campaign IOC

Type	Value
SHA256	5B85DBE49B8BC1E65E01414A0508329DC41DC13C92C08A4F14C71E3044B06185
SHA256	199B9E9A7533431731FBB08FF19D437DE1DE6533F3EBBFFC1E13EEFFAA4FD455
SHA256	938545F7BBE40738908A95DA8CDEABB2A11CE2CA36B0F6A74DEDA9378D380A52
SHA256	3BDDB2E1A85A9E06B9F9021AD301FDCDE33E197225AE1676B8C6D0B416193ECF
SHA256	1FB13A158AFF3D258B8F62FE211FABEED03F0763B2ACADBCCAD9E8E39969EA00
SHA256	D0FD7ACC38B3105FACD6995344242F28E45F5384C0FDF2EC93EA24BFBC1DC9E6
SHA256	AE9AADE86AA19D8933328AE47A5AD8206AD2D2884BF90C82CD9F40330145526F
SHA256	049ED15EF970BD12CE662CFFA59F7D0E0B360D47FAC556AC3D36F2788A2BC5A4
SHA256	6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B
SHA256	3430F39A7B7D2FD3C0BDE1BEED01BB9CF9A4C1393C5DFA5AD9E5E296B3DA75EC
SHA256	FA052FA3692580EFD35BE8FE5FF79EB0A04942A09B7543DE76D2279DA958D7D0
SHA256	D0E1F97DBE2D0AF9342E64D460527B088D85F96D38B1D1D4AA610C0987DCA745
SHA256	5E6E8883173603A0B3811302EE14A14C4F5708F1B756F2906A0749DD2FD1CFA0
SHA256	A5F55361EFF96FF070818640D417D2C822F9AE1CDD7E8FA0DB943F37F6494DB9
SHA256	4D5ACCE20CFA4FF5CF5003B03AA6081959DB25E4ECA795B2E5F4191C04C5BE32
SHA256	4477D161958522D5D0DD0CFC4E6D38B0459654184C4EE2B9BCE78D2524D7BC9D
SHA256	2E328B32F8C7081FBE0AA8407B1B93D1120AC1C8A6AA930EEBA1985C55A0DAA0
SHA256	8A31B04C1396C79EFCA3DAA801310A16ADDF59D41834EA100FE9CEDEDD3E3BAD
SHA256	CB091DBFD10645BA4EBF06D272E98CD98A2359BC0A0E115BF1AE6AD0073461E0
SHA256	3834F6A04B0A9CCA41653967E46934932089ADAA4DE23FF5CFEECDD0E9258E72
SHA256	BD4B9F4B79F8A9EEDC12ABE3919CECB041C61022485B87B3A5CDFD1891E30670
SHA256	8662D511C7F1BEF3A6E4F6D72965760345B57DDF0DE5D3E6EAE4E610216A39C1
SHA256	6D3230247C986CE3B69C100B38881A9AA65A20D1769739C724C95EABB141B70E
SHA256	6863778CAE39716F5DCE7B9EC58662A44470301F94B253743B1A811D80FFCD44
SHA256	5020054735A28AAEBE2FC092C56EA3510D6D6E0A3C6EE1B08ED2103CA0D64A87
SHA256	ED2B9E22AEF3E545814519151528B2D11A5E73D1B2119C067E672B653AB6855A
SHA256	8A2C20A6551A05C429862660CA90E1A2E82EB7ACC24B9C8D9328F7754B558872
SHA256	E48F134C321FDC31A646E747993B1592F576519D7EBBC0AE9B0EAC7337EAF422
SHA256	67521AE29B0364CFF6F7ED0DC7AED0171663CA675716A1CADC0E63CA52A68789
SHA256	AABFA77FA08E7EAE93DC418F53A29F9C2B660F3EF621C9CAFB8C5CA42613AD56
SHA256	E71E40E4D7133A4F7CB9F93B257B5A58FAD672A94A454C61EF8FF0A39D85644E
SHA256	F4611203B96379F3DDD561D3E4A3CE31E3FCE5CCE948EB096DB92728607E7430
SHA256	C7D57588B0D9A59794779106D4E2A03A0118A74FABEB5050EA944E03D0BB6BC7
SHA256	05D20D2BF374E1EBF3F22384F2AA63E7767FF46907D8AAF2690DA4155CACA36A
SHA256	A8E04DC3BA71C5E56898A845D43E2D43EC39660679C971831D1A32740D3B125C
SHA256	1A59DD48C64354E42E5EBB77503CD661FCB4106DE350345A7AB0A3C13145FE3A
SHA256	CB85DEF3A47325722D0F87ADB1975F6536DE09095C1AF6229BDB12B7FC32423B
SHA256	065308CF26326D94F18E246A31B14F3CA5425DA2A9265C347856F31A49C2CC5C
SHA256	0EFB0B8A4FD50DADD8092A50D64CE9EB81610C90704E1C3A973F00A431CF6738
SHA256	2AC2F581F9A2323B1843A3C8ED80C3CE450534DF2C48B0EA4098BA9ECFA27FF9
SHA256	0BFC6678C78ED6CC12E6104E9CDBDE6B5607617A51D920C015CAE759A67C75DD
SHA256	79FF6DE7E2CA406577BA170BD7F37408B63BDA07E042F29589B0B989E300AF55
SHA256	FBE575C75F754546BEA925E921664CCF951900B10DBC4B5A3B4E2155333967A8
SHA256	34EC4F2DEFD549B7C9A026B5498D09F5595FFE1396FE56509743820F20C610BE
SHA256	70501030AF425433D3050133E7D3B800D3D8E4AD4433C1CBD2D2603DC0A96772
SHA256	47966D46657412E76755CA9C0F5D044E166FEEC9BAAFF30938504DDCA4DF3D37
SHA256	CDA7F5A51A7FA6E76867D7321AB8B61F06B7F1E627D4275230F6C93A3C7F2ED0
SHA256	433F545C5599B967FA5E8AD03E6F5C977E27948948536BBDB7816C3A5AFF19BE
DOMAIN	hidusi.com
DOMAIN	macuwuf.com
DOMAIN	joxinu.com
DOMAIN	dodefoh.com
DOMAIN	pawevi.com
URL	http://hidusi.com/e8c76295a5f9acb7/ministry.cab
URL	http://dodefoh.com
URL	http://hidusi.com/e273caf2ca371919/mountain.html
URL	http://hidusi.com/94cc140dcee6068a/help.html
URL	http://hidusi.com/e273caf2ca371919/snake.cab
URL	http://hidusi.com/e273caf2ca371919/consist.cab
URL	http://hidusi.com/e8c76295a5f9acb7/minister.cab
URL	http://hidusi.com/e8c76295a5f9acb7/side.html
URL	http://sagoge.com/
URL	https://comecal.com/
URL	https://rexagi.com/
URL	http://sagoge.com/get_load
URL	https://comecal.com/static-directory/templates.gif
URL	https://comecal.com/ml.js?restart=false
URL	https://comecal.com/avatars
URL	https://rexagi.com:443/avatars
URL	https://rexagi.com/ml.js?restart=false
URL	https://macuwuf.com
URL	https://macuwuf.com/get_load
URL	https://joxinu.com
URL	https://joxinu.com/hr.html
URL	https://dodefoh.com/ml.html
URL	http://pawevi.com/e32c8df2cf6b7a16/specify.html
URL	http://pawevi.com/e32c8df2cf6b7a16/differ.cab
URL	http://macuwuf.com/get_load
URL	https://pawevi.com/lch5.dll
URL	http://175.24.190.249/note.html
IP-DST	23.106.160.25
IP-DST	175.24.190.249
IP-DST	212.192.241.72
HOSTNAME	pawevi.comsagoge.comrexagi.com
HOSTNAME	comecal.comcanarytokens.com

Minimum Content Versions:

Content Type	Version
V2 DAT (VirusScan Enterprise)	10119
V3 DAT (Endpoint Security)	4571

 
 
Detection Summary                               

IOC	Scanner	Detection
5B85DBE49B8BC1E65E01414A0508329DC41DC13C92C08A4F14C71E3044B06185	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
199B9E9A7533431731FBB08FF19D437DE1DE6533F3EBBFFC1E13EEFFAA4FD455	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
938545F7BBE40738908A95DA8CDEABB2A11CE2CA36B0F6A74DEDA9378D380A52	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
3BDDB2E1A85A9E06B9F9021AD301FDCDE33E197225AE1676B8C6D0B416193ECF	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
1FB13A158AFF3D258B8F62FE211FABEED03F0763B2ACADBCCAD9E8E39969EA00	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
D0FD7ACC38B3105FACD6995344242F28E45F5384C0FDF2EC93EA24BFBC1DC9E6	AVEngine V2	Exploit-CVE2021-40444
	AVEngine V3	Exploit-CVE2021-40444
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
AE9AADE86AA19D8933328AE47A5AD8206AD2D2884BF90C82CD9F40330145526F	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
049ED15EF970BD12CE662CFFA59F7D0E0B360D47FAC556AC3D36F2788A2BC5A4	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
6EEDF45CB91F6762DE4E35E36BCB03E5AD60CE9AC5A08CAEB7EDA035CD74762B	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
3430F39A7B7D2FD3C0BDE1BEED01BB9CF9A4C1393C5DFA5AD9E5E296B3DA75EC	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
FA052FA3692580EFD35BE8FE5FF79EB0A04942A09B7543DE76D2279DA958D7D0	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
D0E1F97DBE2D0AF9342E64D460527B088D85F96D38B1D1D4AA610C0987DCA745	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
5E6E8883173603A0B3811302EE14A14C4F5708F1B756F2906A0749DD2FD1CFA0	AVEngine V2	W97M/Downloader.dsf
	AVEngine V3	W97M/Downloader.dsf
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
A5F55361EFF96FF070818640D417D2C822F9AE1CDD7E8FA0DB943F37F6494DB9	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
4D5ACCE20CFA4FF5CF5003B03AA6081959DB25E4ECA795B2E5F4191C04C5BE32	AVEngine V2	Exploit-CVE2021-40444
	AVEngine V3	Exploit-CVE2021-40444
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
4477D161958522D5D0DD0CFC4E6D38B0459654184C4EE2B9BCE78D2524D7BC9D	AVEngine V2	Exploit-CVE2021-40444.h
	AVEngine V3	Exploit-CVE2021-40444.h
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
2E328B32F8C7081FBE0AA8407B1B93D1120AC1C8A6AA930EEBA1985C55A0DAA0	AVEngine V2	Exploit-CVE2021-40444.f
	AVEngine V3	Exploit-CVE2021-40444.f
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
8A31B04C1396C79EFCA3DAA801310A16ADDF59D41834EA100FE9CEDEDD3E3BAD	AVEngine V2	Exploit-CVE2021-40444
	AVEngine V3	Exploit-CVE2021-40444
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
CB091DBFD10645BA4EBF06D272E98CD98A2359BC0A0E115BF1AE6AD0073461E0	AVEngine V2	Trojan-FTWX!60D4BD85DE2F
	AVEngine V3	Trojan-FTWX!60D4BD85DE2F
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
3834F6A04B0A9CCA41653967E46934932089ADAA4DE23FF5CFEECDD0E9258E72	AVEngine V2	Trojan-FTWX!192348DE8581
	AVEngine V3	Trojan-FTWX!192348DE8581
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
BD4B9F4B79F8A9EEDC12ABE3919CECB041C61022485B87B3A5CDFD1891E30670	AVEngine V2	Trojan-FTWX!FE1B2ACA070C
	AVEngine V3	Trojan-FTWX!FE1B2ACA070C
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
8662D511C7F1BEF3A6E4F6D72965760345B57DDF0DE5D3E6EAE4E610216A39C1	AVEngine V2	X97M/Downloader.ih
	AVEngine V3	X97M/Downloader.ih
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
6D3230247C986CE3B69C100B38881A9AA65A20D1769739C724C95EABB141B70E	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
6863778CAE39716F5DCE7B9EC58662A44470301F94B253743B1A811D80FFCD44	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
5020054735A28AAEBE2FC092C56EA3510D6D6E0A3C6EE1B08ED2103CA0D64A87	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
ED2B9E22AEF3E545814519151528B2D11A5E73D1B2119C067E672B653AB6855A	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
8A2C20A6551A05C429862660CA90E1A2E82EB7ACC24B9C8D9328F7754B558872	AVEngine V2	Linux/Mirai.l
	AVEngine V3	Linux/Mirai.l
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
E48F134C321FDC31A646E747993B1592F576519D7EBBC0AE9B0EAC7337EAF422	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
67521AE29B0364CFF6F7ED0DC7AED0171663CA675716A1CADC0E63CA52A68789	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
AABFA77FA08E7EAE93DC418F53A29F9C2B660F3EF621C9CAFB8C5CA42613AD56	AVEngine V2	Trojan-FTWX!60D4BD85DE2F
	AVEngine V3	Trojan-FTWX!60D4BD85DE2F
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
E71E40E4D7133A4F7CB9F93B257B5A58FAD672A94A454C61EF8FF0A39D85644E	AVEngine V2	GenericRXQC-AY!9D9C7368D9D1
	AVEngine V3	GenericRXQC-AY!9D9C7368D9D1
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
F4611203B96379F3DDD561D3E4A3CE31E3FCE5CCE948EB096DB92728607E7430	AVEngine V2	Linux/Downloader.p
	AVEngine V3	Linux/Downloader.p
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
C7D57588B0D9A59794779106D4E2A03A0118A74FABEB5050EA944E03D0BB6BC7	AVEngine V2	Linux/Downloader.p
	AVEngine V3	Linux/Downloader.p
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
05D20D2BF374E1EBF3F22384F2AA63E7767FF46907D8AAF2690DA4155CACA36A	AVEngine V2	Linux/Downloader.p
	AVEngine V3	Linux/Downloader.p
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
A8E04DC3BA71C5E56898A845D43E2D43EC39660679C971831D1A32740D3B125C	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
1A59DD48C64354E42E5EBB77503CD661FCB4106DE350345A7AB0A3C13145FE3A	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
CB85DEF3A47325722D0F87ADB1975F6536DE09095C1AF6229BDB12B7FC32423B	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
065308CF26326D94F18E246A31B14F3CA5425DA2A9265C347856F31A49C2CC5C	AVEngine V2	Generic trojan.mu
	AVEngine V3	Generic trojan.mu
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
0EFB0B8A4FD50DADD8092A50D64CE9EB81610C90704E1C3A973F00A431CF6738	AVEngine V2	Trojan-FTWX!BFCF533572F4
	AVEngine V3	Trojan-FTWX!BFCF533572F4
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
2AC2F581F9A2323B1843A3C8ED80C3CE450534DF2C48B0EA4098BA9ECFA27FF9	AVEngine V2	Linux/Downloader.p
	AVEngine V3	Linux/Downloader.p
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
0BFC6678C78ED6CC12E6104E9CDBDE6B5607617A51D920C015CAE759A67C75DD	AVEngine V2	Linux/Downloader.p
	AVEngine V3	Linux/Downloader.p
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
79FF6DE7E2CA406577BA170BD7F37408B63BDA07E042F29589B0B989E300AF55	AVEngine V2	Linux/Downloader.p
	AVEngine V3	Linux/Downloader.p
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
FBE575C75F754546BEA925E921664CCF951900B10DBC4B5A3B4E2155333967A8	AVEngine V2	Trojan-FTWX!BFCF533572F4
	AVEngine V3	Trojan-FTWX!BFCF533572F4
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
34EC4F2DEFD549B7C9A026B5498D09F5595FFE1396FE56509743820F20C610BE	AVEngine V2	Exploit-CVE2021-40444.a
	AVEngine V3	Exploit-CVE2021-40444.a
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
70501030AF425433D3050133E7D3B800D3D8E4AD4433C1CBD2D2603DC0A96772	AVEngine V2	Linux/Downloader.p
	AVEngine V3	Linux/Downloader.p
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
47966D46657412E76755CA9C0F5D044E166FEEC9BAAFF30938504DDCA4DF3D37	AVEngine V2	Trojan-FTWX!38610FC2B0C8
	AVEngine V3	Trojan-FTWX!38610FC2B0C8
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
CDA7F5A51A7FA6E76867D7321AB8B61F06B7F1E627D4275230F6C93A3C7F2ED0	AVEngine V2	Linux/Mirai.l
	AVEngine V3	Linux/Mirai.l
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

 

IOC	Scanner	Detection
433F545C5599B967FA5E8AD03E6F5C977E27948948536BBDB7816C3A5AFF19BE	AVEngine V2	Linux/Mirai.l
	AVEngine V3	Linux/Mirai.l
	JTI (ATP Rules)	-
	RP Static	-
	RP Dynamic	-

                         
Minimum set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Endpoint Security - Exploit Prevention:
Aggressive set of Manual Rules to improve protection to block this campaign
IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Host Intrusion Prevention: