Microsoft ties a Storm-0978 phishing operation to defense and government targets in Europe and North America, abusing CVE-2023-36884 via Word docs to deliver a RomCom backdoor and related ransomware. The campaign blends espionage-focused credential gathering with opportunistic ransomware, with Microsoft Defender and policy mitigations highlighted to curb impact. #Storm-0978 #RomCom #Underground #IndustrialSpy #CVE-2023-36884 #UkrainianWorldCongress
Keypoints
- Storm-0978 conducted phishing operations targeting defense/government entities in Europe and North America, using CVE-2023-36884 and Word documents.
- Trojanized legitimate software to install the RomCom backdoor and host installers on malicious domains (e.g., advanced-ip-scaner[.]com).
- ransomware activity (Underground and Industrial Spy) appears separate from espionage targets and shows opportunistic behavior.
- Post-compromise lateral movement leveraged Impacket SMBExec and WMIExec for movement within networks.
- Credential dumping from the Security Account Manager (SAM) to obtain credentials for later operations.
- Notable espionage activity includes campaigns since late 2022, such as December 2022 Ukrainian MOD email compromise and October 2022 fake installer campaigns.
- Microsoft-provided mitigations include patching CVE-2023-36884, Defender protections, and registry-based workarounds (BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION) to reduce exploitation risk.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Attachment – “phishing campaign conducted by the threat actor … delivery via Word documents … lures related to the Ukrainian World Congress.”
- [T1203] Exploitation for Client Execution – “abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents”
- [T1036] Masquerading – “trojanized versions of popular, legitimate software, leading to the installation of RomCom. … register malicious domains mimicking the legitimate software (for example, the malicious domain advanced-ip-scaner[.]com).”
- [T1583] Domain Registration – “registers malicious domains mimicking the legitimate software (for example, the malicious domain advanced-ip-scaner[.]com) to host the trojanized installers.”
- [T1021.002] Remote Services – SMB/Windows Admin Shares – “Impacket framework’s SMBExec and WMIExec functionalities for lateral movement.”
- [T1003.002] OS Credential Dumping – “dumping password hashes from the Security Account Manager (SAM) using the Windows registry.”
- [T1486] Data Encrypted for Impact – “Underground ransomware … and the Underground ransomware” (ransomware activity described as part of financially motivated operations).
Indicators of Compromise
- [Domain] advanced-ip-scaner[.]com – hosting trojanized installers and domain impersonation
- [Malware] RomCom backdoor – backdoor installed via trojanized software
- [Malware] Underground ransomware – ransomware variant observed in campaigns
- [Malware] Industrial Spy ransomware – related ransomware family linked to Storm-0978 activities
- [Threat Actor] Storm-0978 – actor responsible for phishing and ransomware campaigns
- [Vulnerability] CVE-2023-36884 – used in phishing payloads to gain execution