A financially and politically motivated cybercriminal group based in Russia is actively exploiting a zero-day vulnerability in Office and Windows products, according to Microsoft. In a recent blog post, Microsoft identified the group as Storm-0978 and revealed that they have been carrying out an ongoing phishing campaign since June. The campaign targets defense and government entities in Europe and North America.
The phishing campaign involves sending malicious attachments in Word documents through phishing emails. These emails are disguised as lures related to the Ukrainian World Congress and NATO, tricking organizations into opening the attachments. In addition to the phishing campaign, Storm-0978 has also been observed engaging in ransomware activity, which Microsoft considers to be separate from their espionage-focused targets.
Microsoft described Storm-0978 as a cybercriminal group based in Russia known for conducting opportunistic ransomware attacks and extortion-only operations. They also engage in credential-gathering campaigns, likely in support of intelligence operations. The group is also referred to as RomCom, the name of their backdoor, by other security vendors.
The blog post provided details about the tactics, techniques, and procedures used by Storm-0978, as well as a timeline of confirmed activity. Microsoft first identified this group’s activity in December of last year. During the recent phishing campaign, Microsoft observed the use of a fake OneDrive loader to deliver the backdoor. The group has also been known to use Trojanized versions of legitimate software, such as Adobe products, Solarwinds Orion, and KeePass, before installing their backdoor malware known as RomCom.
According to the blog post, Storm-0978 has acquired exploits targeting zero-day vulnerabilities based on attributed phishing activity. This indicates that they are continuously looking for and exploiting new vulnerabilities to carry out their attacks.
What sets this campaign apart is the group’s involvement in ransomware activity. Microsoft discovered that Storm-0978 was simultaneously carrying out a separate ransomware attack against an unrelated target using the same initial payloads. This highlights the group’s distinct espionage and financial motivations. Their espionage targets include organizations involved in Ukraine affairs, while their ransomware targets are primarily in the telecommunications and finance sectors.
During the ransomware attacks, Storm-0978 used a variant called Underground, which Microsoft has linked to Industrial Spy ransomware. To gain access to credentials, the group dumped password hashes from the Security Account Manager using the Windows registry.
To defend against Storm-0978 activity, Microsoft recommended several measures, including turning on cloud-delivered protection in Microsoft Defender Antivirus, running EDR in block mode, and enabling investigating and remediation in full automated mode.
Microsoft also mentioned that they are currently investigating the reports of active exploitation of the vulnerability tracked as CVE-2023-36884. Once their investigation is complete, they may provide a security update to address this vulnerability.
Adam Barnett, lead software engineer at Rapid7, commented on the zero-day vulnerability in a blog post. He pointed out that Microsoft had announced 130 vulnerabilities on Patch Tuesday this week, including five zero-day flaws. However, he expressed surprise that there is no patch yet for CVE-2023-36884 and recommended that defenders consult the available mitigation options.
In a separate development, the BlackBerry Threat Research and Intelligence Team observed a threat actor associated with RomCom impersonating the Ukrainian World Congress to target NATO summit guests who may support Ukraine. These phishing attacks, which were observed on July 4, also used Microsoft Word documents. BlackBerry assessed with medium to high confidence that the activity was either a rebranded operation of RomCom or that members of the RomCom threat group were involved in the new campaign, supporting a new threat group.
While BlackBerry has not observed RomCom involved in ransomware activity, they believe the threat actor is likely a supporter of Russia’s invasion of Ukraine based on the language used in the social engineering and the context of the attacks.
In conclusion, the financially and politically motivated cybercriminal group Storm-0978, based in Russia, is actively exploiting a zero-day vulnerability in Office and Windows products. This group has been conducting an ongoing phishing campaign targeting defense and government entities in Europe and North America. Microsoft has provided recommendations for defending against this group’s activity and is investigating the vulnerability to provide a security update. Additionally, the BlackBerry Threat Research and Intelligence Team has observed a potential rebranded operation or involvement of members of the RomCom threat group in a separate campaign targeting NATO summit guests.