SECUINFRA Falcon TeamYesterday Microsoft released an advisory about #CVE_2023_36884 and the #Storm_0978 Threat Actor. In today's thread we would like to focus on the Office document Phishing lure and the new Ransomware variant that is associated with the same group.
The lure document targeting the #NATO summit in #Villnius was previously covered by the BlackBerry Threat Research Team. We were able to reproduce their findings and to build detection rules for significant parts of the exploit chain.
📰 https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
The group of vulnerabilities summarized in CVE-2023-36884 show similarities to previous bugs found in MS Office. The Word file contains a crafted RTF (afchunk.rtf), which in turn has two files embedded via OLE2Link, extractable with @DidierStevens rtfdump.py.
For further reading on the OLE(2Link) specifics, we can recommend the following write-ups by NCC Group (2017) and Cymulate (2022):
➡️ https://paper.seebug.org/papers/Archive/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf
➡️ https://cymulate.com/blog/cve-2022-30190-2/
The NCC Paper also contains a generic Yara rule for OLE2Link, which works in this case.
The downloaded second stage payload "file001.url" is a Word document as well and contains appended HTML content with a Follina-style msdt Handler execution inside an iframe. We created a #Yara rule for this payload, available via our GitHub repo and @abuse_ch's #Yarahub.
https://yaraify.abuse.ch/yarahub/rule/MALWARE_Storm0978_HTML_PROTHANDLER_Jul23
Microsoft Threat Intel attributed this Malspam attack to "Storm-0978" ("RomCom", too ambiguous), along with a Ransomware variant "Underground". We found the following samples w/ a simple #Yara hunting rule:
059175be5681a633190cd9631e2975f6
f27ce4ec855fbb93ec4aa662ca71ad05
https://yaraify.abuse.ch/yarahub/rule/MALWARE_Storm0978_Underground_Ransomware_Jul23
As noted by Microsoft we found that "Underground" Ransomware shows striking similarities to #IndustrialSpy e.g. stylometric matches in the Ransomnote, similarities in the code (browser allowlist) and on their Darkweb contact page.
IndustrialSpy: https://zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware
Current #CVE_2023_36884 Mitigation options:
Monitor ingress email, enable MDE ASR e.g. "Office Child Processes", use the Registry workaround proposed by Microsoft https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884, disable OLE2Link via Registry as proposed by NCC above (untested)
The current Vulns show once again that MS Office has a very broad attack surface and definitive patches are difficult. Let's see how Microsoft responds. As for Storm-0978, both espionage and fincrime motives are certainly plausible, although to be viewed separately.
Thank you for reading the thread all the way to the end. If you liked it, consider following us to stay up to date on our latest research!
RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit
The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.