Zero-day deploys remote code execution vulnerability via Word documents

An unpatched zero-day vulnerability is currently being abused in the wild, targeting those with an interest in Ukraine. Microsoft reports that CVE-2023-36884 is tied to reports of:

…a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

While the CVE is being updated with new information and links to appropriate security information, the Microsoft Security Blog is currently exploring the issue in detail.

This all ties back to a phishing campaign operated by a group being tracked as “Storm-0978” which targets defence and government entities in both Europe and North America. The campaign itself makes use of bait related to the Ukrainian World Congress, a non-profit organisation of “all Ukrainian public organisations in diaspora”.

These infections originate from remote code execution via Word documents exploiting the above Ukraine-themed bait, as well as an “abuse of vulnerabilities contributing to a security feature bypass”. A fake OneDrive loader delivers a backdoor with similarities to RomCom, their primary backdoor tool. It’s unusual to observe websites involved in this kind of attack still be online hours after a reveal, but here are some shots we took of both site and downloads (thanks to Jerome):

Fake congress website

Word exploit site

Some of the other attacks launched by this group involve distribution of trojanized versions of popular software. Once the backdoor has taken hold, the group “may steal credentials to be used in targeted operations”.

Popular tools used for these installations include trojanized versions of Solarwinds Network Performance Monitor, KeePass, Signal, and Adobe products. Bogus domains imitating the real thing are registered and used as convincing fronts for the infected software.

Microsoft notes that this group also has a hand in ransomware attacks, though it is less targeted in nature and unrelated to any espionage-themed operations. Attacks which have been identified as belonging to Storm-0978 in this realm have impacted finance and telecommunications industries.

A variety of attacks on several fronts, then. 

Microsoft gives the following advice for organisations concerned with the potential threat of compromise from the most recent attacks:

CVE-2023-36884 specific recommendations

  • Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
  • In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
  • Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.  Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

You could also consider blocking outbound SMB traffic.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.