A critical remote code execution bug in Microsoft Outlook — CVE-2024-21413, dubbed “Moniker Link” — is actively being exploited in the wild, bypassing Outlook’s protected-view restrictions through a file:// URI trick to steal NTLM credentials and execute arbitrary code. HN56 also covers Kimsuky, the North Korean APT, swapping their noisy PebbleDash backdoor for a custom RDP wrapper and proxy tools that blend into legitimate remote desktop traffic to stay hidden longer.
Stories Covered
CVE-2024-21413: Outlook Moniker Link RCE Actively Exploited
Discovered by Check Point and tracked as CVE-2024-21413, the Moniker Link vulnerability exploits improper input validation in Microsoft Outlook. When a victim previews or opens an email containing a specially crafted file:// URL with an exclamation mark appended to the path, Outlook bypasses its own Protected View restrictions and attempts to resolve the link against an attacker-controlled server. In doing so, it sends the victim’s NTLM authentication credentials in cleartext — and, under the right conditions, executes arbitrary code. CISA added it to the Known Exploited Vulnerabilities catalog and directed federal agencies to patch by February 27th.
The patch was issued a year ago. The reason it is still a live threat is the gap between patch release and actual deployment — organizations running Office LTSC 2021, Microsoft 365 Apps for Enterprise, Outlook 2016, or Office 2019 who have not applied updates remain exposed. The preview pane is an attack vector, meaning a user does not need to open the attachment at all. If you are running any of those product versions, this is a patch-now situation. If someone in your network received a suspicious Office email from an external sender, check their NTLM auth logs.
Kimsuky Swaps PebbleDash for Custom RDP Wrapper and Proxy Tools
AhnLab Security Intelligence Center (ASEC) documented a shift in Kimsuky tactics: the North Korean APT is replacing reliance on their known PebbleDash backdoor — which generates detectable network noise — with a modified version of the open-source RDP Wrapper tool. RDP Wrapper is a legitimate utility that enables Remote Desktop Protocol on Windows Home editions that do not ship with it. Kimsuky’s modified build alters export functions to evade antivirus signature detection while maintaining the same capability: a persistent, GUI-based remote session into the compromised host.
The infection chain starts with a spear phishing email that includes the target’s name and company — indicating prior reconnaissance — with a malicious LNK file disguised as a PDF or Word document. Opening it triggers PowerShell or MSHTA to pull down multiple payloads: PebbleDash for initial access, the custom RDP wrapper for persistent remote control, proxy tools to punch through NAT and firewall restrictions, a keylogger writing captures to local text files, an info stealer called ForcesCopy that extracts browser-saved credentials, and a PowerShell-based reflective loader that executes payloads entirely in memory — leaving no artifacts on disk for forensic recovery.
The strategic logic is clear: RDP traffic is ubiquitous in enterprise environments. An attacker who can make their remote sessions look like legitimate IT activity can dwell for months or years without triggering alerts. The reflective in-memory loader compounds this by preventing disk forensics from finding evidence of secondary payloads. Kimsuky is investing in long-term access quality over speed — the implication is that breaches from this campaign may sit undiscovered until something breaks operational security on their end.
Leave a Reply