A July 2023 NATO-NATO Summit-targeting campaign leveraged a weaponized Word document to exploit CVE-2023-36884 and bypass Microsoft’s MotW, leading to a multi-stage infection chain attributed to Storm-0978 (RomCom Group). Microsoft’s CVE-2023-36584 vulnerability was discovered as a MotW bypass technique, enabling execution through a sophisticated sequence of document- and system-level manipulations. #Storm-0978 #RomCom
Keypoints
- Storm-0978 (RomCom Group) used a weaponized .docx lure tied to NATO-related discussions to deliver a multi-stage exploit chain.
- The campaign exploited CVE-2023-36884 (RCE in Microsoft Office) to infect targets with malware, with Microsoft assigning CVE-2023-36584 to a new MotW bypass vector.
- The attack relies on a complex flow including Word’s altChunk loading external content, two malicious OLE objects in afchunk.rtf, and remote content from SMB/HTTP sources.
- NTLM credential leakage to an attacker-controlled SMB server occurs when the victim accesses certain remote resources, facilitating further stages.
- New MotW bypass techniques (CVE-2023-36584) use server-side ZIP manipulation and timing delays to evade MotW and Zone restrictions, enabling execution from Security Zone 1/0 contexts.
- Microsoft patched related components (UUIDs in temp files; zipfldr.dll changes) to mitigate the chain, but parts of the exploit remained unpatched at the time of analysis.
MITRE Techniques
- [T1203] Exploitation for Client Execution – A remote code execution vulnerability in Microsoft Office (CVE-2023-36884) was used to infect targets with malware. “a highly complex and well-developed exploit chain leveraging a remote code execution (RCE) vulnerability in Microsoft Office designated CVE-2023-36884 to infect its targets with malware.”
- [T1566.002] Phishing: Spearphishing Link – The lure is distributed via email with a link to the weaponized Word document used at the NATO Summit event. “The above link indicates this document was most likely distributed through email, with the email text containing a link to the .docx file.”
- [T1059.005] VBScript – The chain includes a malicious VBScript file (ex001.vbs) designed to bypass SmartScreen. “The downloaded file contains malicious Visual Basic Script (VBS) designed to bypass SmartScreen.”
- [T1562.001] Impair Defenses – MotW bypass via CVE-2023-36584, leveraging a race condition in Windows Search to bypass the Mark of the Web and execute from Zone 1/0 contexts. “New MotW Bypass – CVE-2023-36584” and related discussion on bypassing MotW.
Indicators of Compromise
- [SHA256] context – a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f, 0896e7c5433b2d426a30a43e7f4ef351fa870be8bd336952a0655392f8f8052d – Overview_of_UWCs_UkraineInNATO_campaign.docx, and 2 more hashes
- [Filename] context – Overview_of_UWCs_UkraineInNATO_campaign.docx, word/document.xml, and 2 more items
- [URL] context – https://www.ukrainianworldcongress.info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx, hxxps://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx
- [URL] context – 104.234.239[.]26share1MSHTML_C7file001.url, hxxp://74.50.94[.]156/MSHTML_C7/start.xml