In June 2023, Storm-0978 launched a campaign exploiting the CVE-2023-36884 vulnerability, a remote code execution flaw in Microsoft Word documents. This campaign targeted defense and government entities in Europe and North America, using phishing emails with lures related to the Ukrainian World Congress. The emails contained malicious documents designed to exploit the vulnerability before it was disclosed, allowing the attackers to deliver a backdoor with similarities to the RomCom malware. The campaign's primary objective appeared to be intelligence gathering, leveraging the vulnerability to infiltrate systems and potentially steal sensitive credentials. Microsoft Defender for Office 365 detected the initial exploitation, and further recommendations were provided to mitigate the threat. This operation exemplifies Storm-0978's ability to exploit zero-day vulnerabilities and their focus on espionage-related activities.
Type
Campaign
Actors
RomCom
Pub. date
July 3, 2023
Initial access
1-day vulnerabilityEnd-user compromise0-day vulnerability
Impact
RansomOpData exfiltration
Observed techniques
PhishingVulnerability exploitation
Observed tools
RomCom backdoor
Targeted technologies
Microsoft Word
References
https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
Status
Finalized
Last edited
Aug 6, 2024 12:41 PM