Yesterday Microsoft released an advisory about #CVE_2023_36884 and the #Storm_0978 Threat Actor. In today's thread we would like to focus on the Office document Phishing lure and the new Ransomware variant that is associated with the same group.

The lure document targeting the #NATO summit in #Villnius was previously covered by the BlackBerry Threat Research Team. We were able to reproduce their findings and to build detection rules for significant parts of the exploit chain.

📰 https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

The group of vulnerabilities summarized in CVE-2023-36884 show similarities to previous bugs found in MS Office. The Word file contains a crafted RTF (afchunk.rtf), which in turn has two files embedded via OLE2Link, extractable with @DidierStevens rtfdump.py.

For further reading on the OLE(2Link) specifics, we can recommend the following write-ups by NCC Group (2017) and Cymulate (2022):

➡️ https://paper.seebug.org/papers/Archive/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf

➡️ https://cymulate.com/blog/cve-2022-30190-2/

The NCC Paper also contains a generic Yara rule for OLE2Link, which works in this case.

The downloaded second stage payload "file001.url" is a Word document as well and contains appended HTML content with a Follina-style msdt Handler execution inside an iframe. We created a #Yara rule for this payload, available via our GitHub repo and @abuse_ch's #Yarahub.

https://yaraify.abuse.ch/yarahub/rule/MALWARE_Storm0978_HTML_PROTHANDLER_Jul23

Microsoft Threat Intel attributed this Malspam attack to "Storm-0978" ("RomCom", too ambiguous), along with a Ransomware variant "Underground". We found the following samples w/ a simple #Yara hunting rule:

059175be5681a633190cd9631e2975f6

f27ce4ec855fbb93ec4aa662ca71ad05

https://yaraify.abuse.ch/yarahub/rule/MALWARE_Storm0978_Underground_Ransomware_Jul23

As noted by Microsoft we found that "Underground" Ransomware shows striking similarities to #IndustrialSpy e.g. stylometric matches in the Ransomnote, similarities in the code (browser allowlist) and on their Darkweb contact page.

IndustrialSpy: https://zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware

Current #CVE_2023_36884 Mitigation options:
Monitor ingress email, enable MDE ASR e.g. "Office Child Processes", use the Registry workaround proposed by Microsoft https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884, disable OLE2Link via Registry as proposed by NCC above (untested)

The current Vulns show once again that MS Office has a very broad attack surface and definitive patches are difficult. Let's see how Microsoft responds. As for Storm-0978, both espionage and fincrime motives are certainly plausible, although to be viewed separately.

Thank you for reading the thread all the way to the end. If you liked it, consider following us to stay up to date on our latest research!

#cybersecurity #infosec #blueteam #cyberdefense