Threat actors known as “Storm-0978” are actively exploiting an unpatched Microsoft Office and Windows HTML remote code execution vulnerability. This high-severity zero-day vulnerability, assigned a CVSS v3.1 score of 8.3 and designated as CVE-2023-36884, has been exploited via specially-crafted Microsoft Office documents that victims are tricked into opening using email lures.
Storm-0978 is targeting defense and government entities in Europe and North America with “Ukrainian World Congress” and “NATO” themed emails, which include links to a website that hosts the weaponized documents.
Once the victim opens the malicious Office document, the threat actors gain the ability to execute arbitrary code on the targeted systems, potentially delivering additional payloads such as remote access trojans (RAT) or ransomware.
Given that this vulnerability is currently unpatched, other threat actors may seek to deploy similar threats using similar tactics and techniques, like delivering destructive documents as email attachments rather than linking to a malicious site.
At the time of publication, a full list of vulnerable Microsoft Office and Windows versions has not been shared, although it is thought that recent Office, Windows, and Word versions are affected.
Who is Storm-0978?
Storm-0978 — also known “RomCom” based on their previous use of the RomCom RAT — are reportedly a Russian-nexus cybercriminal gang, active since at least 2022.
Having previously used Trojanized versions of popular software to distribute the RomCom RAT, the group has also been linked to ransomware threats “Trigona” and “Underground,” the latter being a potential rebrand of “Industrial Spy.”
As is often the case with financially-motivated threat actors, previous attacks targeting the telecommunications and finance industries appear to be opportunistic, as opposed to their recent activity, which appears to be far more targeted and even potentially motivated by an espionage objective.
Recommendations
Pending the release of an out-of-cycle security update or an update through the monthly Patch Tuesday release, organizations should follow the current Microsoft advice provided in their security update guide, which recommends enabling the “Block all Office applications from creating child processes” attack surface reduction rule in Microsoft Defender or configuring the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key.
In making these changes, it’s important that organizations take into consideration the impacts of any registry change, as these may affect application functionality. Organizations should also consider adopting a proactive approach to this by monitoring the release of any out-of-cycle security updates.
Additionally, consideration should be given to implementing access restrictions to the domains and IP addresses listed in the indicators of compromise (IOC) section. This will not only prevent users from accessing malicious content, but will also thwart potential command and control activities.
Lastly, in the event of suspicion of a targeted attack, conduct a thorough review of your environment for the provided IOC below and take immediate measures to contain and remediate any identified threats. By following these recommendations, your organization can bolster its security posture and minimize the impact of potential security breaches.
Indicators of compromise (IOC)
| IOC | Type | Description |
|---|---|---|
|
ukrainianworldcongress[.]info |
Domain |
Mimics the legitimate domain ukrainianworldcongress[.]org |
|
%APPDATA%\Local\Temp\Temp1_<VICTIM_IP>_<5_CHAR_HEX_ID>_file001.zip\2222.chm |
File path |
Victim specific CHM payload containing file1.htm, file1.mht, fileH.htm, fileH.mht and INDEX.htm |
|
104.234.239[.]26 |
IPv4 |
Hosts C2 and additional payloads |
|
213.139.204[.]173 |
IPv4 |
Resolves to ukrainianworldcongress[.]info |
|
66.23.226[.]102 |
IPv4 |
Potential Storm-0978 infrastructure (similar content) |
|
74.50.94[.]156 |
IPv4 |
Hosts C2 and additional payloads |
|
94.232.40[.]34 |
IPv4 |
Potential Storm-0978 infrastructure (similar content) |
|
07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d |
SHA256 |
Second stage malicious Microsoft Word document - file001.url |
|
07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d |
SHA256 |
Second stage malicious Microsoft Word document - \\104.234.239[.]26\share1\MSHTML_C7\file001.url |
|
3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97 |
SHA256 |
Letter_NATO_Summit_Vilnius_2023_ENG.docx - Lure document |
|
a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f |
SHA256 |
Overview_of_UWCs_UkraineInNATO_campaign.docx - Lure document |
|
ddf15e9ed54d18960c28fb9a058662e7a26867776af72900697400cb567c79be |
SHA256 |
Malicious Word document - hxxp://74.50.94[.]156/MSHTML_C7/doc_dld.asp?filename=<FILENAME.DOC> |
|
e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539 |
SHA256 |
afchunk.rtf - Exploit payload embedded within the lure documents |
|
\\104.234.239[.]26\share1\MSHTML_C7\file001.url |
UNC path |
Second stage malicious Microsoft Word document - 07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d |
|
\\104.234.239[.]26\share1\MSHTML_C7\file001.url |
URL |
Second stage malicious Microsoft Word document - 07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d |
|
hxxp://104.234.239[.]26/share1/MSHTML_C7/1/<VICTIM_IP>_<5_CHAR_HEX_ID>_file001.htm?d=<VICTIM_IP>_<5_CHAR_HEX_ID> |
URL |
Call home, used to generate payloads with victim IP/identifier |
|
hxxp://104.234.239[.]26/share1/MSHTML_C7/1/<VICTIM_IP>_<5_CHAR_HEX_ID>_file001.zip |
URL |
Payload generated for victim IP |
|
hxxp://104.234.239[.]26/share1/MSHTML_C7/file001.url |
URL |
Second stage malicious Microsoft Word document - 07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d |
|
hxxp://66.23.226[.]102/MSHTML_C7/start.xml |
URL |
Potential Storm-0978 infrastructure (similar content) |
|
hxxp://74.50.94[.]156/MSHTML_C7/doc_dld.asp?filename=<FILENAME.DOC> |
URL |
Malicious Word document - ddf15e9ed54d18960c28fb9a058662e7a26867776af72900697400cb567c79be |
|
hxxp://74.50.94[.]156/MSHTML_C7/o2010.asp?d=<VICTIM_IP>_<5_CHAR_HEX_ID>_ |
URL |
Payload generated for victim IP |
|
hxxp://74.50.94[.]156/MSHTML_C7/RFile.asp |
URL |
Referenced by start.xml, loads content generated for victim IP |
|
hxxp://74.50.94[.]156/MSHTML_C7/start.xml |
URL |
Loads RFile.asp |
|
hxxp://74.50.94[.]156/MSHTML_C7/zip_k.asp?d=<VICTIM_IP>_<5_CHAR_HEX_ID>_ |
URL |
Payload generated for victim IP |
|
hxxp://74.50.94[.]156/MSHTML_C7/zip_k2.asp?d=<VICTIM_IP>_<5_CHAR_HEX_ID>_ |
URL |
Payload generated for victim IP |
|
hxxp://74.50.94[.]156/MSHTML_C7/zip_k3.asp?d=<VICTIM_IP>_<5_CHAR_HEX_ID>_ |
URL |
Payload generated for victim IP |
|
hxxp://94.232.40[.]34/MSHTML_C7/start.xml |
URL |
Potential Storm-0978 infrastructure (similar content) |
|
hxxp://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Letter_NATO_Summit_Vilnius_2023_ENG.docx |
URL |
Lure document |
|
hxxps://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx |
URL |
Lure document |
