Threat Overview – CVE-2023-36884
CVE-2023-36884 is a newly discovered critical security flaw in Microsoft Office and Windows HTML, enabling remote code execution on the victim’s system. The threat actor group, ‘STORM-0978’ (also known as RomCom or DEV-0978), allegedly connected to Russia, has been seen exploiting this vulnerability. They specifically target defense and government organizations across North America and Europe, delivering their unique set of malware tools, including RomCom malware and Underground Ransomware.
Campaign Overview
Microsoft acknowledged CVE-2023-36884 in July 2023. The phishing campaign conducted by STORM-0978 exploited this vulnerability using a malicious Word document. Once opened, the document initiates a chain of unexpected child processes, including mshta.exe, splwow64.4xe, powershell.exe, or cmd.exe. Currently, a solution for CVE-2023-36884 is still under investigation, making it crucial for users to remain informed and prepared.
Technical Details
The phishing campaign uses a meticulously crafted Microsoft Office document. Once opened, it triggers the download of a malicious payload compromising the victim’s system. This payload often includes a backdoor similar to RomCom. The BlackBerry research team reports that the exploit uses RTF (Rich Text Format) exploitation, leading to an outbound connection downloading OLE (Object Linking & Embedding) streams into the Office application, further deploying the RomCom backdoor.
Taking Action Against CVE-2023-36884
Microsoft advises users to enable the “Block all Office applications from creating child processes” rule until patches are available. This will prevent the vulnerability from being exploited. As the vulnerability is still fresh and under investigation, Cyborg Security will continue to update the content with new findings. For a deeper dive, you can explore the research articles by Microsoft and BlackBerry.
To stay ahead of such threats, consider leveraging Cyborg Security’s free hunt packages. Don’t have a Community account? No problem, you can sign up for free and get started on your threat hunting journey today.
.
