Microsoft Office Zero-Day CVE-2023-36884 Exploited in the Wild
Microsoft has issued an advisory revealing a critical in-the-wild exploited Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884).
Updated on
November 6, 2023
Published on
July 25, 2023
Read MINUTES
6
Subscribe to the latest industry news, threats and resources.
Microsoft released an advisory disclosing in-the-wild exploited Office and Windows HTML Remote Code Execution Vulnerability- CVE-2023-36884.
The vulnerability is under active exploitation by the Storm-0978 cybercrime group which has been detected to have been involved in cybercrime and espionage activities.
Storm-0978 is known to develop and distribute the RomCom backdoor on its victims’ networks.
Microsoft recommends the following mitigations: - Block all Office applications from creating child processes - Set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.
Analysis
While Microsoft is still investigating the root cause of the vulnerability, the initial study suggests that:
The exploitation of CVE-2023-36884 requires the user to open a malicious document.
Opening the malicious file leads to the download of a script that initiates iframe injection leading to the download of the final malicious payload.
The vulnerability starts with remotely hosted OOXML files, including DOCX and similar formats, which are internally structured as ZIP archives. Within these files, an XML-based relationship definition file plays a crucial role, with specific attention focused on the "aFChunk" relationship. Malicious samples exhibit the exploitation of this relationship by embedding RTF files as a means of payload smuggling. These embedded RTF files contain various objects responsible for executing malicious code, ultimately leading to malware download. Notably, two prominent objects are observed within the DOCX files, namely an OLE1 object and a CFB object, both utilized to exploit the "URLMoniker" link process.
OOXML File Structure: - OOXML files, such as DOCX, are inherently structured as ZIP archives, providing a convenient means of packaging and storing various components of the document.
XML-based Relationship Definition: - Within the DOCX file, an XML file serves as the relationship definition, facilitating the establishment of connections between different elements of the document.
Significance of "aFChunk" Relationship: - Of particular interest is the "aFChunk" relationship defined within the XML file. This relationship enables the embedding of one document within another, thus creating an avenue for payload smuggling.
Malicious Utilization of "aFChunk" Method: - Instances of malicious samples have been observed leveraging the "aFChunk" method to embed RTF files within DOCX files. This method serves as a vehicle for surreptitious payload delivery.
RTF Objects and Malware Payload: - Embedded within the RTF files are several objects that harbor the actual code responsible for facilitating the download and execution of malware.
OLE1 Object with UNC Path: - The initial object encountered is an OLE1 object containing a Universal Naming Convention (UNC) path leading to a remote IP address. Upon execution, this object retrieves a .URL file, exemplified by the path "\ip_address\to_evil\payload.url."
Exploitation of "URLMoniker" Link Process: - The second object, a CFB object, exploits the "URLMoniker" link process, furthering the propagation of the malicious activity.
To prevent exploitation of the vulnerability block all Office applications from creating child processes in endpoint security systems.
Set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation.
No OS restart is required, but restarting the applications that have had the registry key added for them is recommended in case the value was already queried and is cached.
Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. For this reason, we suggest testing. To disable the mitigation, delete the registry key or set it to “0”.
Add the following application names to this registry key as values of type REG_DWORD with data 1" - Excel.exe - Graph.exe - MSAccess.exe - MSPub.exe - PowerPoint.exe - Visio.exe - WinProj.exe - WinWord.exe - Wordpad.exe
Screenshot of settings for the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key
More information and context about Underground Chatter
On-Demand Research Services
Global Threat Intelligence Feed
Protect and proceed with Actionable Intelligence
The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.