RomCom

Blog Credit: Trupti Thakur

Image Courtesy: Google

RomCom

Microsoft Threat Intelligence has identified threat actors abusing a recently disclosed vulnerability, CVE-2023-36884, in phishing campaigns containing malicious Word documents against government entities in Europe and North America. CVE-2023-36884 was disclosed along with three other vulnerabilities by Google TAG, no patch was released for the vulnerability and only mitigations are available.

Threat Actor: Storm-0978 (RomCom)

As part of a recently identified cyber operation, a Russia-linked threat actor known as RomCom has been targeting entities supporting Ukraine, including guests at the 2023 NATO Summit taking place July 11-12, the cybersecurity unit at BlackBerry reports.

Taking place in Vilnius, Lithuania, the NATO Summit has on the agenda talks focusing on the war in Ukraine, as well as new memberships in the organization, including Sweden and Ukraine itself.

Taking advantage of the event, RomCom has created malicious documents likely to be distributed to supporters of Ukraine, and appears to have dry-tested its delivery on June 22 and a few days before the command-and-control (C&C) domain used in the campaign went live, BlackBerry explains.

The threat actor likely relied on spear-phishing to distribute one of the malicious documents, relying on an embedded RTF file and OLE objects to initialize an infection chain meant to harvest system information and to deliver the RomCom remote access trojan (RAT).

At one stage in the infection chain, a vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) – CVE-2022-30190, also known as Follina – is exploited for remote code execution (RCE).

According to BlackBerry, the C&C domains and victim IPs identified during this campaign were all accessed from a single server, which has been observed connecting to known RomCom infrastructure.

Based on the observed tactics, techniques, and procedures (TTPs), network infrastructure, code similarities, and other collected artifacts, BlackBerry is confident that the RomCom threat actor – or members of RomCom – is behind the cyber operation.

ADVERTISEMENT. SCROLL TO CONTINUE READING.

“Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine,” BlackBerry says.

The company has alerted relevant government agencies of this campaign prior to making the information public.

Also tracked as Void Rabisu and Tropical Scorpius, and Associated with the Cuba Ransomware, RomCom was believed to be financially motivated, but recent campaigns have shown a shift in tactics and motivation, suggesting that the group is likely working for the Russian Government.

Since at least October 2022, the threat actor’s RomCom backdoor has been used in attacks targeting Ukraine, including users of Ukraine’s Delta situational awareness program and organizations in Ukraine’s energy and water utility sectors.

Outside Ukraine, RomCom attacks targeted a provincial local government helping Ukrainian refugees, a parliament member of a European country, attendies of the Munich Security Conference, and the Masters of Digital conference, and a European defense company.

 

Storm-0978,  known as RomCom , a Russian threat actor known for ransomware, espionage operations, and targeted credential-gathering campaigns. Their latest campaign was last detected in June 2023 involving abuse of CVE-2023-36884 to deliver backdoors over phishing emails according to Microsoft threat intelligence

Mitigate CVE-2023-36884

CVE-2023-36884 can be mitigated via Attack Surface Reduction Rules or by performing registry key modifications to disable certain features in Windows. It is recommended to apply the mitigations as no patches are available.

Attack Surface Reduction Rules

Block all Office applications from creating child processes

This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.

Creating malicious child processes is a common malware strategy. Malware that abuses Office as a vector often runs VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes; such as spawning a command prompt or using PowerShell to configure registry settings.

Intune name: Office apps launching child processes

Configuration Manager name: Block Office application from creating child processes

GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a

Advanced hunting action type:

• AsrOfficeChildProcessAudited

• AsrOfficeChildProcessBlocked

Block credential stealing from the Windows local security authority subsystem

This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).

LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. Some organizations can’t enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.

By default the state of this rule is set to block. In most cases, many processes make calls to LSASS for access rights that are not needed. For example, such as when the initial block from the ASR rule results in a subsequent call for a lesser privilege which subsequently succeeds. For information about the types of rights that are typically requested in process calls to LSASS, see: Process Security And Access Rights

 

Registry Key Modification

As recommended by Microsoft, “Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications. Add the following application names to this registry key as values of type REG_DWORD with data 1”

 

Detect CVE-2023-36884

Based on the recommended ASR rules, the following Sigma rule can detect an attacker exploiting CVE-2023-36884 and other Office-related TTPs. Alerts can be generated if an Office application is spawning a suspicious child process.

Patch CVE-2023-36884

Microsoft has not yet released a patch for CVE-2023-36884. This section will be updated as more details are available.

Exploit CVE-2023-36884

More information about CVE-2023-36884 will be available in 30 days according to Google TAG disclosure policy. This section will be updated with possible adversary simulations and exploits for the vulnerability. The recommended sigma rule and Attack Surface Reduction rules can also be assessed with other vulnerabilities such as  Follina which we covered previously.

 

Blog By: Trupti Thakur