{
	"id": "b8e454c5-5b5a-41d0-bd85-cce44043406a",
	"created_at": "2026-04-06T00:20:20.732299Z",
	"updated_at": "2026-04-10T13:12:48.428923Z",
	"deleted_at": null,
	"sha1_hash": "2184d2d8e7c53e6848038101cf45c5e732284050",
	"title": "Rendering Threats: A Network Perspective",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 581613,
	"plain_text": "Rendering Threats: A Network Perspective\r\nBy Joe Slowik\r\nPublished: 2021-09-10 · Archived: 2026-04-05 13:17:32 UTC\r\nBackground\r\nOn September 7, 2021, following a long holiday weekend in the U.S., Microsoft disclosed a remote code\r\nexecution vulnerability, CVE-2021-40444. Discovered by researchers from several organizations, the vulnerability\r\nleverages flaws in the MSHTML application, present in all Microsoft Windows installations, to achieve code\r\nexecution. At the time of this writing, security researchers from several organizations identified active exploitation\r\nof this vulnerability, potentially as early as mid-August 2021, via a chain of events started through specially\r\ncrafted Microsoft Office documents.\r\nIdentified Behaviors\r\nMultiple researchers identified what appears to be a single campaign from mid-August 2021 through early\r\nSeptember 2021 leveraging CVE-2021-40444 against multiple victims. While precise victimology is unknown,\r\nlimited evidence indicates potential use against entities in North America, Europe, and Asia. Intrusion operations\r\nbegin through the delivery of a phishing document — exactly how the document is delivered is unknown at\r\npresent — such as the following item:\r\nhttps://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/\r\nPage 1 of 7\n\nWhile the document loads, Microsoft Office attempts to retrieve a remote object referenced in a component of the\r\ndocument file, such as the following:\r\nThe HTML object retrieved contains obfuscated JavaScript code that the MSHTML engine renders as though it\r\nwere a webpage. Although helpful in evading detections and defenses, the obfuscation is unnecessary as the\r\nMSHTML application will render the underlying code irrespective of hardening. The following shows a portion of\r\nthe malicious code:\r\nhttps://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/\r\nPage 2 of 7\n\nWhen executed, the scripting content retrieves another file with an .inf extension that is actually a malicious DLL\r\nfile. The extension–file type mismatch is likely used to evade defensive checks for downloading portable\r\nexecutable file types. Once executed, the DLL establishes command and control (C2) communication, allowing\r\nthe unknown adversary to access the exploited victim.\r\nThe above represents only preliminary analysis of a campaign that appears to still be in progress. While additional\r\ndetails on this activity will almost certainly emerge over the coming days and weeks, sufficient information exists\r\nto analyze this exploit for defensive purposes.\r\nNetwork Detection Opportunities\r\nAt first glance, the above operations appear heavily weighted toward host-based detection methodologies and\r\npossibly phishing or malicious email defenses. While these assessments are valid and will likely receive\r\nsignificant attention as the security community further examines the vulnerability and the resulting campaign,\r\nthere are defensive alternatives. As previously discussed with respect to ransomware operations, information\r\nsecurity practitioners must aim to identify and defeat malicious behavior across host and network perspectives,\r\nfusing insights from each into a complete picture, to compete against modern threat actors.\r\nWhile much remains unknown concerning both who is responsible and for what purpose, the current campaign\r\nunderscores the need to take this blended defensive approach. This begins at the very first moments of malicious\r\naction on a victim’s machine: the retrieval of a remote object via Microsoft Office. Similar to template injection\r\nbehaviors, the malicious document can only serve its desired function and purpose if it can retrieve and render the\r\nremotely hosted scripting object. This critical dependency provides defenders with their first opportunity for\r\ndetection, if not outright mitigation.\r\nhttps://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/\r\nPage 3 of 7\n\nWhen retrieving a remote object via a Microsoft Office program, default Windows behavior employs a User Agent\r\nstring value reflecting the application. In the case of this activity, initial retrieval results in traffic similar to the\r\nfollowing two observations:\r\nSearching for instances of Office-based User Agents engaging in anomalous or suspicious activity can serve as a\r\npowerful detection for initial actions on target. Observations that can be joined with this for higher confidence\r\ninclude:\r\nTraffic to new, previously unobserved network locations\r\nEnriching network location activity (such as the domain) to identify suspicious hosting or other patterns\r\nAnalysis of traffic and response to identify the obfuscated JavaScript code returned, especially since the\r\ntraffic in this instance is unencrypted\r\nThe above observations can be combined with host-based detections to further refine matters, identifying such\r\naspects as where files are written and follow-on program execution by looking at child processes from Microsoft\r\nOffice.\r\nFollowing script execution, the adversary designed the script to retrieve and launch a DLL with a mismatched file\r\nextension. This again presents an opportunity for detection and warning, seeing the difference between the content\r\nretrieved (a portable executable file type) and the content as labeled (using the .inf extension). Again, paired with\r\nhost observations, even more powerful conclusions can be reached, aligning the simple masquerade in the payload\r\nretrieval with follow-on execution as a DLL on the victim machine.\r\nFinally, C2 behaviors after DLL execution can identify an intrusion in progress. One of the most direct, and\r\nnetwork-specific, ways of doing so is through identifying a new, not previously seen domain in network traffic.\r\nThis observation can be further enriched by treating the domain as a composite object and identifying suspicious\r\ncharacteristics in terms of domain registrar, network hosting, and relative domain recency (registered in late\r\nAugust 2021, for example), as seen in the following information from DomainTools:\r\nhttps://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/\r\nPage 4 of 7\n\nBy examining precisely how this intrusion unfolds, defenders can identify multiple possible detection points for\r\nthis campaign. Yet, while that is desirable, such actions can seem consistently backward looking, as they chase\r\nknown, analyzed behaviors as opposed to newly observed activity. Such concerns are magnified in the case of\r\nzero-day actions, where adversary tradecraft predates defender awareness.\r\nEnabling Defense Against Unknown Threat Vectors\r\nCloser examination of the defensive strategies in the previous section identifies something interesting: While the\r\nroot cause of exploitation and intrusion activity remains a “net new” behavior, all surrounding observations and\r\nadversary techniques either align with known tradecraft or display sufficient anomalous characteristics to allow\r\nfor detection. As previously discussed, when evaluating anomalies in network defense, fundamental understanding\r\nof networks, their expected or typical behavior, and useful diversions from these norms for adversary activities\r\nopens space for powerful defensive possibilities.\r\nIn the case of the MSHTML exploitation activity above, our specific defensive guidance easily translates into\r\nmore general security advice:\r\nLeverage identification of applications in network traffic to flag strange or risky behaviors relevant to the\r\noriginating application\r\nUse content analysis and similar methodologies to determine when potentially malicious objects are\r\nretrieved while employing some degree of obfuscation or evasion, whether at the content level (such as\r\nobfuscated JavaScript) or metadata (such as file type-to-extension mismatches)\r\nAggressively question newly observed network infrastructure communicating with the defended network\r\nand place such communications in context to identify potential malicious activity\r\nhttps://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/\r\nPage 5 of 7\n\nBy adopting these mechanisms, among a host of other behavior-centric strategies, defenders can place themselves\r\nahead of potential intrusions through identification of adversary dependencies or commonalities. Even when a\r\nthreat actor deploys a new, previously unobserved technique (such as the MSHTML exploit in this campaign),\r\nunderstanding linked dependencies, delivery mechanisms, and C2 requirements allows for detection even under\r\nthe most difficult circumstances.\r\nConclusion\r\nThe recently disclosed campaign leveraging a then-zero-day exploit in MSHTML retains a number of unknowns.\r\nThe community of network defenders still does not know what entity is responsible for this activity, for what\r\npurpose the campaign was conducted, and (perhaps most significantly) if other threat actors have leveraged the\r\nsame vulnerability for additional campaigns. While these all are worrying thoughts, a thorough examination of\r\ndefensive possibilities identifies various potential avenues for detection and defensive response.\r\nBy understanding how specific adversary tradecraft relates to the broader “kill chain” of the intrusion lifecycle,\r\ndefenders can layer detections in such a fashion that even novel techniques are revealed through their relationship\r\nwith more mundane behaviors. Defenders must continuously adapt detections and alarms across all phases of\r\nadversary operations to ensure that this latent defensive advantage is claimed and utilized, severely limiting\r\nwould-be intruders from achieving their objectives. As such, adopting a detection and defense methodology that\r\nembraces all phases of visibility and operation — including network-centric identification and analysis — is a\r\nnecessary prerequisite to meeting the challenge of modern, agile adversaries.\r\nIndicators of Compromise\r\nIdentified Malicious Domains\r\npawevi[.]com\r\ndodefoh[.]com\r\nhidusi[.]com\r\nmacuwuf[.]com\r\njoxinu[.]com\r\nIdentified Malicious IP Addresses\r\n45.153.241[.]127\r\n45.153.240[.]220\r\n45.147.229[.]242\r\n23.106.160[.]25\r\n108.62.118[.]69\r\nhttps://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/\r\nPage 6 of 7\n\nIdentified Malicious Documents\r\n199b9e9a7533431731fbb08ff19d437de1de6533f3ebbffc1e13eeffaa4fd455\r\n5b85dbe49b8bc1e65e01414a0508329dc41dc13c92c08a4f14c71e3044b06185\r\n938545f7bbe40738908a95da8cdeabb2a11ce2ca36b0f6a74deda9378d380a52\r\na5f55361eff96ff070818640d417d2c822f9ae1cdd7e8fa0db943f37f6494db9\r\n3bddb2e1a85a9e06b9f9021ad301fdcde33e197225ae1676b8c6d0b416193ecf\r\nIdentified DLLs\r\n3834f6a04b0a9cca41653967e46934932089adaa4de23ff5cfeecdd0e9258e72\r\n6eedf45cb91f6762de4e35e36bcb03e5ad60ce9ac5a08caeb7eda035cd74762b\r\nbd4b9f4b79f8a9eedc12abe3919cecb041c61022485b87b3a5cdfd1891e30670\r\ncb091dbfd10645ba4ebf06d272e98cd98a2359bc0a0e115bf1ae6ad0073461e0\r\nFeatured Webinars\r\nHear from our experts on the latest trends and best practices to optimize your network visibility and analysis.\r\nSource: https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/\r\nhttps://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/"
	],
	"report_names": [
		"rendering-threats-a-network-perspective"
	],
	"threat_actors": [],
	"ts_created_at": 1775434820,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2184d2d8e7c53e6848038101cf45c5e732284050.pdf",
		"text": "https://archive.orkl.eu/2184d2d8e7c53e6848038101cf45c5e732284050.txt",
		"img": "https://archive.orkl.eu/2184d2d8e7c53e6848038101cf45c5e732284050.jpg"
	}
}