Hackers using Weaponized Office Document to Exploit Windows Search RCE

A brand recent attack chain campaign has been stumbled on, which entails the exploitation of CVE-2023-36884 and CVE-2023-36584. CVE-2023-36884 became a distant code execution vulnerability, and CVE-2023-36584 became a security bypass vulnerability which can furthermore be weak to milk CVE-2023-36884.

CVE-2023-36884 became given a severity rating of 8.8 (Excessive), and CVE-2023-36584’s severity rating became 5.4 (Medium). On the opposite hand, the threat actor attributed to the exploit chain became a professional-Russian APT crew is named Storm-0978 aka RomCom Community.

Windows Search RCE Flaw

As allotment of the preliminary attack chain, a .docx file became stumbled on that became no longer tagged as MotW (Label of the Net), leading to the “protected leer” being disabled when opening the file.

An MS-DOCX file is a compressed ZIP archive file that includes an XML file at word/file.xml and includes the file’s textual speak material and formatting.

On the opposite hand, the file.xml file includes an anchor for imported exterior speak material part altchunk which imports an RTF speak material. This RTF file afchunk.rtf comprises two malicious Object Linking and Embedding (OLE) objects.

First Stage of the Exploit Chain

The malicious OLE objects in afchunk.rtf requests speak material from two URLs,

• \104.234.239[.]26share1MSHTML_C7file001.url
• hxxp://74.50.94[.]156/MSHTML_C7/commence.xml

If the sufferer hosts accesses \104.234.239[.]26share1MSHTML_C7file001.url, the sufferer’s NTLM credentials, which dangle the hostname and username, leaked to the threat actor-managed SMB server. On the opposite hand, the URLs define two recordsdata: file001.url and file001.htm.

Abusing the Windows Search Handler

The file001.htm has a JS that uses iframes to load extra than one recordsdata. The main filename includes the sufferer’s IP address and 5 5-digit identifier that ends with file001.search-ms. Following this, three HTTP requests the utilization of the string .zip_k* in the URLs are made.

Original MotW Bypass – CVE-2023-36584

Windows search scans for extensions of every file to resolve the contents. When it finds internet recordsdata, it writes the file to a short-interval of time listing and adds MotW to it. This operation has a bustle situation which can furthermore be exploited to bypass the MitW.

There were three ways that were linked to Server Facet ZIP Swap (Metadata TOCTOU), Server Facet Lengthen (Shut Operation) and Server Facet Lengthen (Be taught Operation).

Server Facet ZIP Swap – Metadata TOCTOU

This trend is exploitable when the ZIP archive is downloaded from a distant server. The zipfldr.dll file reads the ZIP file’s header and caches the files in memory.

Once the file header is read, the ZIP with MotW would possibly perchance well furthermore be replaced with a official file title the utilization of the TOCTOU situation, bypassing the MotW to the file.

Server Facet Lengthen – Shut Operation

This trend is expounded with the Zone. Identifier ADS, that shall be provided with a time lengthen the utilization of a SMB server. This trend became conceivable attributable to the SMB2 protocol’s shut operation, which comprises a shut request and a shut response.

Server Facet Lengthen – Be taught Operation

Windows reads a allotment of big recordsdata that are from a distant portion. If there is random files at the stay of the file, the writing of the file would possibly perchance well furthermore be delayed from the SMB server earlier than Windows adds MotW to the file.

The file is usable through the writing process because it is opened with read/write dwShareMode.

A entire file concerning the attack chain has been published by Palo Alto, which gives detailed details about exploitation ways, strategies of operation, and other files.

Indicators of Compromise

Be taught: SHA256 hash – Filename

• a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f – Overview_of_UWCs_UkraineInNATO_campaign.docx
• 0896e7c5433b2d426a30a43e7f4ef351fa870be8bd336952a0655392f8f8052d – word/file.xml
• b5731baa7920b4649add429fc4a025142ce6a1e1adacb45850470ca4562d5e37 – word/_rels/file.xml.rels
• e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539 – afchunk.rtf
• 3d0dae359325e8e96cf46459c38d086279865457379bd6380523727db350de43 – file001.url
• 48142dc7fe28a5d8a849fff11cb8206912e8382314a2f05e72abad0978b27e90 – commence.xml
• bfe3ebcc92a4a7d294b63ce0d7eba6313980d982709a27b337abe32651b63856 – file001.zip
• c94e2bfd4e2241fed42113049c84ac333fcff340cc202afe8926f8e885d5fca3 – 2222.chm
• f08cc922c5dab73f6a2534f8ceec8525604814ae7541688b7f65ac9924ace855 – 1111.htm
• cdc39ce48f8f587c536450a3bd0feb58bf40b59b310569797c1c9ae8d28b2914 – RFile.asp
• fd4fd44ff26e84ce6587413271cf7ff3960471a55eb0d51b0a9870b577d66f4a – file001.htm
• 4fc768476ee92230db5dbc4d8cbca49a71f8433542e62e093c3ad160f699c98d – redir_obj.htm
• 0adb2734a1ca0ccaf27d8a46c08b2fd1e19cb1fbd3fea6d8307851c691011f0f – file1.htm
• 7a1494839927c20a4b27be19041f2a2c2845600691aa9a2032518b81463f83be – file1.mht
• 20f58bd5381509072e46ad79e859fb198335dcd49c2cb738bd76f1d37d24c0a7 – fileH.htm
• ee46f8c9769858aad6fa02466c867d7341ebe8a59c21e06e9e034048013bf65a – fileH.mht
• c187aa84f92e4cb5b2d9714b35f5b892fa14fec52f2963f72b83c0b2d259449d – ex001.url

The following network paths referenced in this learn are linked with the July 2023 lure:

• \104.234.239[.]26share1MSHTML_C7file001.url
• \104.234.239[.]26share1MSHTML_C7ex001.url
• file[:]//104.234.239[.]26/share1/MSHTML_C7/1/
• file[:]//104.234.239[.]26/share1/MSHTML_C7/ex001.zip/file001.vbs
• hxxp://74.50.94[.]156/MSHTML_C7/commence.xml
• hxxp://74.50.94[.]156/MSHTML_C7/zip_k.asp?d=
• hxxp://74.50.94[.]156/MSHTML_C7/zip_k2.asp?d=
• hxxp://74.50.94[.]156/MSHTML_C7/zip_k3.asp?d=
• hxxps://www.ukrainianworldcongress[.]files/internet sites/default/recordsdata/file/varieties/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx