Storm-0978 Group Deploys RomCom Variant and Underground Ransomware in Targeted Attacks
On July 11, 2023, Microsoft unveiled its latest Patch Tuesday, comprising 132 vulnerabilities, with six being actively exploited and thirty-seven categorized as Remote Code Execution (RCE) vulnerabilities. Additionally, Microsoft has published a dedicated article addressing CVE-2023-36884, an Office and Windows HTML Remote Code Execution Vulnerability. Microsoft is aware of this targeted attack that attempts to exploit this vulnerability using specially crafted Microsoft Office documents. The specially crafted Office document enables the attacker to perform remote code execution. However, for the exploit to be successful, the attacker must persuade the victims to open the malicious Office document.
Microsoft detected a phishing campaign carried out by a Threat Actor (TA) known as Storm-0978. The campaign specifically targeted defense and government entities in Europe and North America. To carry out the attack, the TA employed lures related to the Ukraine World Congress and exploited the vulnerability identified as CVE-2023-36884.
The cybercriminal group Storm-0978, operating from Russia, is notorious for engaging in various illegal activities. These activities include conducting ransomware and extortion operations and targeted campaigns to gather credentials. This group is also known for developing and distributing the RomCom backdoor and deploying Underground Ransomware.
Underground ransomware is connected significantly to Industrial Spy Ransomware, detected in the wild in May 2022. Additionally, Microsoft has reported that a recent campaign identified in June 2023 utilized the exploitation of CVE-2023-36884 to distribute a backdoor that shares similarities with RomCom.
This Storm-0978 group uses a phishing site masquerading as a well-known legitimate software for initial infection. The impersonated products include Adobe products, SolarWinds Network Performance Monitor, SolarWinds Orion, Advanced IP Scanner, KeePass, and Signal. By visiting these phishing sites, users unknowingly download and execute files that result in the infection of the RomCom backdoor.
Cyber Espionage
Microsoft has identified a series of campaigns known as Storm-0978, which have been active since late 2022. These operations have exhibited post-compromise activities and have targeted specific entities, indicating a high likelihood of espionage-related motives behind them.
In October 2022, Storm-0978 initiated a series of phishing campaigns by establishing fraudulent websites that resembled authentic software installers. The primary targets of these campaigns were individuals associated with the Ukrainian government and military organizations. The objective behind these activities was to distribute the RomCom malware and potentially acquire the login credentials of important individuals.
In December 2022, according to CERT-UA, Storm-0978 gained unauthorized access to an email account that belongs to the Ukrainian Ministry of Defense. Using this compromised account, the threat actor proceeded to send phishing emails. These deceptive emails included PDF attachments that served as lures, enticing recipients to click on links leading to a website controlled by the malicious actor. The website hosted malware designed to steal sensitive information from the victims’ devices.
A deceptive phishing campaign, attributed to Storm-0978, was executed in June 2023, focusing on defense and government entities in Europe and North America. The campaign employed a disguised OneDrive loader to distribute a backdoor resembling the RomCom malware. The below figure shows the spam email used by Storm-0978 to exploit the vulnerability CVE-2023-36884.
The figure below displays the MS Word document utilized as bait throughout the campaign, specifically designed to align with the NATO Summit.
Ransomware Activities
In documented instances of ransomware infiltrations, Storm-0978 has gained access to credentials by extracting password hashes from the Security Account Manager (SAM) through the Windows registry. Subsequently, Storm-0978 has employed the SMBExec and WMIExec functionalities of the Impacket framework for lateral movement within the compromised systems.
Microsoft has linked Storm-0978 to previous management of the Industrial Spy ransomware market and crypter. However, as early as July 2023, Storm-0978 adopted a ransomware variant named Underground, which exhibits significant code similarities with the Industrial Spy ransomware.
Cyble Research and Intelligence Labs (CRIL) recently published a blog post about the newly identified underground ransomware variant involved in the ongoing Storm-0978 campaign.
The figure below shows the Underground Team ransomware login panel, which appears upon accessing the Onion URL mentioned in the ransom note.
Conclusion:
Zero-day vulnerabilities are difficult to predict and detect in advance; hence zero days are very dangerous for any organization’s cyber infrastructure. The Storm-0978 group identified and exploited a zero-day vulnerability (CVE-2023-36884) in Microsoft Office to compromise multiple systems and performed espionage and ransomware operations.
The attackers used the RomCom variant for espionage, and Underground Ransomware was deployed for ransomware operations. The campaign indicates that Storm-0978 is a highly sophisticated group that seems to be also targeting multiple organizations in the future.
Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Block process creations originating from PsExec and WMI commands – Microsoft recommends that some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI, including Impacket’s WMIexec.
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact of Ransomware
- Loss of Valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
Remediation For CVE-2023-36884
- Implement a restriction to prevent all Office applications from generating child processes.
- Organizations that cannot utilize these protective measures can configure the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to prevent exploitation. However, it is important to note that while these registry settings can help mitigate the risks associated with this issue, they may impact the normal functionality of certain applications in specific use cases.
- Add the following application names as REG_DWORD values to the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION” with a data value of 1.
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Discovery | T1082 T1217 T1083 | System Information Discovery Browser Information Discovery File and Directory Discovery |
| Defense Evasion | T1070 | Delete shadow drive data |
| Lateral Movement | T1534 T1550 | Internal Spearphishing Use Alternate Authentication Material |
| Impact | T1486 T1490 | Data encrypted for impact Inhibit System Recovery |
| Command and Control | T1071 | Application Layer Protocol |
Indicators Of Compromise
| Indicators | Indicator Type | Description |
| d4a847fa9c4c7130a852a2e197b205493170a8b44426d9ec481fc4b285a92666 fb4ad5d21f0d8c6755eb4addba0ac288bd2574b6 059175be5681a633190cd9631e2975f6 | Sha256 Sha1 Md5 | Underground Team Ransomware |
References
- https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/
- https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
- https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware
- https://cert.gov.ua/article/5077168
- https://www.bleepingcomputer.com/news/security/ukraines-delta-military-system-users-targeted-by-info-stealing-malware/
