Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

Taking Microsoft Office by "Storm"

3 min read
Last updated August 4, 2023
Microsoft Word document surrounded by storm clouds

Threat actors known as “Storm-0978” are actively exploiting an unpatched Microsoft Office and Windows HTML remote code execution vulnerability. This high-severity zero-day vulnerability, assigned a CVSS v3.1 score of 8.3 and designated as CVE-2023-36884, has been exploited via specially-crafted Microsoft Office documents that victims are tricked into opening using email lures. 

Storm-0978 is targeting defense and government entities in Europe and North America with “Ukrainian World Congress” and “NATO” themed emails, which include links to a website that hosts the weaponized documents. 

Once the victim opens the malicious Office document, the threat actors gain the ability to execute arbitrary code on the targeted systems, potentially delivering additional payloads such as remote access trojans (RAT) or ransomware. 

Get started with our world-famous data risk assessment.
Book your free assessment

Given that this vulnerability is currently unpatched, other threat actors may seek to deploy similar threats using similar tactics and techniques, like delivering destructive documents as email attachments rather than linking to a malicious site. 

At the time of publication, a full list of vulnerable Microsoft Office and Windows versions has not been shared, although it is thought that recent Office, Windows, and Word versions are affected.

Who is Storm-0978? 

Storm-0978 — also known “RomCom” based on their previous use of the RomCom RAT — are reportedly a Russian-nexus cybercriminal gang, active since at least 2022. 

Having previously used Trojanized versions of popular software to distribute the RomCom RAT, the group has also been linked to ransomware threats “Trigona” and “Underground,” the latter being a potential rebrand of “Industrial Spy.” 

As is often the case with financially-motivated threat actors, previous attacks targeting the telecommunications and finance industries appear to be opportunistic, as opposed to their recent activity, which appears to be far more targeted and even potentially motivated by an espionage objective. 

Recommendations 

Pending the release of an out-of-cycle security update or an update through the monthly Patch Tuesday release, organizations should follow the current Microsoft advice provided in their security update guide, which recommends enabling the “Block all Office applications from creating child processes” attack surface reduction rule in Microsoft Defender or configuring the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key. 

In making these changes, it’s important that organizations take into consideration the impacts of any registry change, as these may affect application functionality. Organizations should also consider adopting a proactive approach to this by monitoring the release of any out-of-cycle security updates.

Additionally, consideration should be given to implementing access restrictions to the domains and IP addresses listed in the indicators of compromise (IOC) section. This will not only prevent users from accessing malicious content, but will also thwart potential command and control activities.

Lastly, in the event of suspicion of a targeted attack, conduct a thorough review of your environment for the provided IOC below and take immediate measures to contain and remediate any identified threats. By following these recommendations, your organization can bolster its security posture and minimize the impact of potential security breaches.

Indicators of compromise (IOC) 

IOC Type Description

ukrainianworldcongress[.]info 

Domain 

Mimics the legitimate domain ukrainianworldcongress[.]org 

%APPDATA%\Local\Temp\Temp1_<VICTIM_IP>_<5_CHAR_HEX_ID>_file001.zip\2222.chm 

File path 

Victim specific CHM payload containing file1.htm, file1.mht, fileH.htm, fileH.mht and INDEX.htm 

104.234.239[.]26 

IPv4 

Hosts C2 and additional payloads 

213.139.204[.]173 

IPv4 

Resolves to ukrainianworldcongress[.]info 

66.23.226[.]102 

IPv4 

Potential Storm-0978 infrastructure (similar content) 

74.50.94[.]156 

IPv4 

Hosts C2 and additional payloads 

94.232.40[.]34 

IPv4 

Potential Storm-0978 infrastructure (similar content) 

07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d 

SHA256 

Second stage malicious Microsoft Word document - file001.url 

07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d 

SHA256 

Second stage malicious Microsoft Word document - \\104.234.239[.]26\share1\MSHTML_C7\file001.url 

3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97 

SHA256 

Letter_NATO_Summit_Vilnius_2023_ENG.docx - Lure document 

a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f 

SHA256 

Overview_of_UWCs_UkraineInNATO_campaign.docx - Lure document  

ddf15e9ed54d18960c28fb9a058662e7a26867776af72900697400cb567c79be 

SHA256 

Malicious Word document - hxxp://74.50.94[.]156/MSHTML_C7/doc_dld.asp?filename=<FILENAME.DOC> 

e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539 

SHA256 

afchunk.rtf - Exploit payload embedded within the lure documents 

\\104.234.239[.]26\share1\MSHTML_C7\file001.url 

UNC path 

Second stage malicious Microsoft Word document - 07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d 

\\104.234.239[.]26\share1\MSHTML_C7\file001.url 

URL 

Second stage malicious Microsoft Word document - 07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d 

hxxp://104.234.239[.]26/share1/MSHTML_C7/1/<VICTIM_IP>_<5_CHAR_HEX_ID>_file001.htm?d=<VICTIM_IP>_<5_CHAR_HEX_ID> 

URL 

Call home, used to generate payloads with victim IP/identifier 

hxxp://104.234.239[.]26/share1/MSHTML_C7/1/<VICTIM_IP>_<5_CHAR_HEX_ID>_file001.zip 

URL 

Payload generated for victim IP 

hxxp://104.234.239[.]26/share1/MSHTML_C7/file001.url 

URL 

Second stage malicious Microsoft Word document - 07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d 

hxxp://66.23.226[.]102/MSHTML_C7/start.xml 

URL 

Potential Storm-0978 infrastructure (similar content) 

hxxp://74.50.94[.]156/MSHTML_C7/doc_dld.asp?filename=<FILENAME.DOC> 

URL 

Malicious Word document - ddf15e9ed54d18960c28fb9a058662e7a26867776af72900697400cb567c79be 

hxxp://74.50.94[.]156/MSHTML_C7/o2010.asp?d=<VICTIM_IP>_<5_CHAR_HEX_ID>_ 

URL 

Payload generated for victim IP 

hxxp://74.50.94[.]156/MSHTML_C7/RFile.asp 

URL 

Referenced by start.xml, loads content generated for victim IP 

hxxp://74.50.94[.]156/MSHTML_C7/start.xml 

URL 

Loads RFile.asp 

hxxp://74.50.94[.]156/MSHTML_C7/zip_k.asp?d=<VICTIM_IP>_<5_CHAR_HEX_ID>_ 

URL 

Payload generated for victim IP 

hxxp://74.50.94[.]156/MSHTML_C7/zip_k2.asp?d=<VICTIM_IP>_<5_CHAR_HEX_ID>_ 

URL 

Payload generated for victim IP 

hxxp://74.50.94[.]156/MSHTML_C7/zip_k3.asp?d=<VICTIM_IP>_<5_CHAR_HEX_ID>_ 

URL 

Payload generated for victim IP 

hxxp://94.232.40[.]34/MSHTML_C7/start.xml 

URL 

Potential Storm-0978 infrastructure (similar content) 

hxxp://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Letter_NATO_Summit_Vilnius_2023_ENG.docx 

URL 

Lure document 

hxxps://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx 

URL 

Lure document 

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
security-vulnerabilities-in-apex-code-could-leak-salesforce-data
Security Vulnerabilities in Apex Code Could Leak Salesforce Data
Varonis' threat researchers identified high- and critical-severity vulnerabilities in Apex, a programming language for customizing Salesforce instances.
outlook-vulnerability-discovery-and-new-ways-to-leak-ntlm-hashes
Outlook Vulnerability Discovery and New Ways to Leak NTLM Hashes
Varonis Threat Labs discovered a new Outlook exploit and three new ways to access NTLM v2 hashed passwords.
taking-microsoft-office-by-
Taking Microsoft Office by "Storm"
The “Storm-0978” ransomware group is actively exploiting an unpatched Microsoft Office and Windows HTML remote code execution vulnerability.
imposter-syndrome:-ui-bug-in-visual-studio-lets-attackers-impersonate-publishers
Imposter Syndrome: UI Bug in Visual Studio Lets Attackers Impersonate Publishers
Varonis Threat Labs found a bug in Microsoft Visual Studio installer that allows an attacker to impersonate a publisher and issue a malicious extension to compromise a targeted system