Executive Summary

Within just three days of public disclosure, Russian state-linked threat actors weaponized a critical Microsoft Office vulnerability, CVE-2023-36884, to launch targeted cyber-espionage and ransomware campaigns. This vulnerability enables remote code execution via malicious Office documents, bypassing standard security controls. The exploitation was observed in the wild by multiple security vendors, with attacks primarily targeting government, defense, and critical infrastructure organizations in Europe and North America. The rapid operationalization of this exploit underscores the increasing sophistication and agility of Russian cyber operations, and highlights the urgent need for organizations to patch, monitor, and harden their environments against advanced persistent threats.

Threat Actor Profile

The primary threat actor associated with the exploitation of CVE-2023-36884 is Storm-0978, also known as RomCom. This group is assessed to be linked to Russian state interests and is known for conducting both espionage and financially motivated ransomware operations. Storm-0978 has a history of leveraging zero-day vulnerabilities and rapidly integrating newly disclosed exploits into their attack chains. Their campaigns often employ highly targeted spear-phishing, leveraging geopolitical lures relevant to their intended victims, such as documents themed around the Ukrainian World Congress and NATO-related events. The group is technically adept, utilizing custom malware, advanced evasion techniques, and robust command-and-control infrastructure to maintain persistence and exfiltrate sensitive data.

Technical Analysis of Malware/TTPs

CVE-2023-36884 is a remote code execution vulnerability affecting multiple versions of Microsoft Office and the Windows HTML rendering engine. The vulnerability allows attackers to craft malicious Office documents (including Word and RTF files) that, when opened, trigger the download and execution of arbitrary code from remote servers. The exploit chain typically begins with a spear-phishing email containing a weaponized document. Upon opening, the document leverages the vulnerability to inject an iframe or similar HTML element, which then downloads a secondary payload—often a DLL or executable—without user interaction.

The payloads observed in these campaigns include custom backdoors, credential stealers, and ransomware. Notably, the RomCom malware family has been deployed, featuring capabilities such as keylogging, screenshot capture, file exfiltration, and lateral movement. The malware establishes persistence via registry modifications and scheduled tasks, and communicates with attacker-controlled command-and-control servers using encrypted channels. Defense evasion is achieved through obfuscated code, anti-analysis checks, and the use of living-off-the-land binaries (LOLBins) to blend in with legitimate system activity.

The attack chain is further hardened by the use of legitimate cloud services and compromised infrastructure for payload delivery and C2, making detection and attribution more challenging. The attackers also employ techniques such as disabling security tools, deleting logs, and leveraging signed binaries to bypass application whitelisting.

Exploitation in the Wild

The exploitation of CVE-2023-36884 was first observed in July 2023, immediately following its public disclosure by Microsoft. Within three days, Storm-0978 integrated the exploit into active campaigns. Security researchers from Microsoft, Picus Security, and other vendors documented the use of malicious Office documents distributed via spear-phishing emails. These emails were highly targeted, often referencing current geopolitical events to increase the likelihood of user interaction.

Upon opening the malicious document, the exploit chain would execute, resulting in the download and execution of the RomCom backdoor or ransomware payloads. The campaigns were notable for their speed and precision, with attackers adapting their lures and infrastructure in response to public reporting and defensive measures. The use of legitimate cloud services for payload hosting and C2 further complicated detection and response efforts.

Victims reported a range of impacts, from data theft and credential compromise to ransomware deployment and operational disruption. Incident response teams noted that the attackers were able to move laterally within networks, escalate privileges, and exfiltrate sensitive data before deploying ransomware as a final stage.

Victimology and Targeting

The primary targets of these campaigns were government agencies, defense contractors, and critical infrastructure organizations in Europe and North America. Victims included entities involved in policy-making, military operations, and international diplomacy, as well as private sector organizations with ties to these sectors. The attackers demonstrated a clear understanding of their targets' operational environments, crafting lures and payloads tailored to specific organizations and individuals.

The use of geopolitical themes in phishing lures, such as references to the Ukrainian World Congress and NATO summits, indicates a focus on intelligence collection and influence operations. Secondary targeting included organizations in the energy, transportation, and telecommunications sectors, reflecting the attackers' interest in disrupting or gathering intelligence on critical infrastructure.

Mitigation and Countermeasures

Organizations are strongly advised to take the following actions to mitigate the risk posed by CVE-2023-36884 and similar threats. First, ensure that all Microsoft Office products are updated to the latest versions, specifically Microsoft 365 Apps Semi-Annual Channel version 2302 or later, as these versions include protections against this vulnerability. Apply all available security updates for both Office and Windows platforms.

Implement registry-based mitigations by setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION key for all relevant Office applications, including Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, and Wordpad.exe. The registry path is HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION.

Restrict Office applications from spawning child processes, and monitor for abnormal Office application behavior, such as unexpected network connections or process creation. Leverage advanced endpoint detection and response (EDR) solutions to identify and block malicious activity associated with the RomCom malware family and related TTPs.

Educate users on the risks of spear-phishing and the importance of verifying the authenticity of email attachments, especially those referencing current events or requiring urgent action. Deploy email security solutions capable of detecting and quarantining malicious attachments and links.

Monitor network traffic for indicators of compromise, including connections to known malicious infrastructure and anomalous data exfiltration patterns. Implement network segmentation and least privilege access controls to limit the impact of a successful compromise.

References

• Microsoft Security Response Center (MSRC) CVE-2023-36884

• Picus Security: CVE-2023-36884 A Detailed Look

• Microsoft Q&A: Does CVE-2023-36884 impact Windows 10 with office 365 2302 or later installed?

• NVD Entry for CVE-2023-36884

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and vendor ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information or to discuss how Rescana can help strengthen your organization's cyber resilience, we are happy to answer questions at ops@rescana.com.