In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584 [Monday, November 13, 2023]

In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584 [Monday, November 13, 2023]
https://www.securitricks.com/content/images/size/w600/format/webp/2023/12/ATTACK-REPORT-LOGO-2.png
Report

In-Depth Analysis of July 2023 Exploit Chain Featuring CVE-2023-36884 and CVE-2023-36584

Description :
During our analysis of a July 2023 campaign targeting groups supporting Ukraine's admission into NATO, researchers discovered a new vulnerability for bypassing Microsoft's Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group, in reference to their use of the RomCom backdoor). This group used a highly complex and well-developed exploit chain leveraging a remote code execution (RCE) vulnerability in Microsoft Office designated CVE-2023-36884 to infect its targets with malware.

Published :
2023-11-13T17:29:16.823Z

Created :
2023-11-13T17:29:16.823Z

Modified :
2023-11-13T17:34:40.540Z

Tags

  • ukraine
  • geopolitical conflict
  • romcom
  • storm-0978
  • cve202336884
  • cta

Indicators

URLs :
  • https://www.ukrainianworldcongress.info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx
  • http://74.50.94.156/MSHTML_C7/zip_k2.asp?d=
  • http://74.50.94.156/MSHTML_C7/zip_k.asp?d=
  • www.ukrainianworldcongress.info
  • http://74.50.94.156/MSHTML_C7/start.xml
  • http://74.50.94.156/MSHTML_C7/zip_k3.asp?d=
Domains :
  • ukrainianworldcongress.info
Hashes :
  • 20f58bd5381509072e46ad79e859fb198335dcd49c2cb738bd76f1d37d24c0a7
  • cdc39ce48f8f587c536450a3bd0feb58bf40b59b310569797c1c9ae8d28b2914
  • 0896e7c5433b2d426a30a43e7f4ef351fa870be8bd336952a0655392f8f8052d
  • c94e2bfd4e2241fed42113049c84ac333fcff340cc202afe8926f8e885d5fca3
  • b5731baa7920b4649add429fc4a025142ce6a1e1adacb45850470ca4562d5e37
  • 3d0dae359325e8e96cf46459c38d086279865457379bd6380523727db350de43
  • f08cc922c5dab73f6a2534f8ceec8525604814ae7541688b7f65ac9924ace855
  • c187aa84f92e4cb5b2d9714b35f5b892fa14fec52f2963f72b83c0b2d259449d
  • 0adb2734a1ca0ccaf27d8a46c08b2fd1e19cb1fbd3fea6d8307851c691011f0f
  • 7a1494839927c20a4b27be19041f2a2c2845600691aa9a2032518b81463f83be
  • ee46f8c9769858aad6fa02466c867d7341ebe8a59c21e06e9e034048013bf65a
  • bfe3ebcc92a4a7d294b63ce0d7eba6313980d982709a27b337abe32651b63856
  • fd4fd44ff26e84ce6587413271cf7ff3960471a55eb0d51b0a9870b577d66f4a
  • 4fc768476ee92230db5dbc4d8cbca49a71f8433542e62e093c3ad160f699c98d
  • 48142dc7fe28a5d8a849fff11cb8206912e8382314a2f05e72abad0978b27e90
  • e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539
  • a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
Attacks Pattern :
  • T1559
  • T1187
  • T1547
  • T1566
  • T1068
  • T1106
  • T1560
  • T1027
External References :

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.