This post is also available in: 日本語 (Japanese)

Executive Summary

With July's Patch Tuesday release, Microsoft disclosed a zero-day Office and Windows HTML Remote Code Execution Vulnerability, CVE-2023-36884, which it rated "important" severity. Microsoft has observed active in-the-wild exploitation of this vulnerability using specially crafted Microsoft Office documents. It should be noted that exploitation requires the user to open the malicious document.

Unit 42 Threat Intelligence can confirm that this vulnerability has been utilized since at least July 3, 2023. Further analysis is being conducted; an update will be made to this Threat Brief as the analysis is completed.

Microsoft has released a patch for Microsoft Office that stops the attack chain leading to execution of this vulnerability. For those unable to patch, they recommend blocking Office applications from creating child processes or setting FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. See the Security Updates page for more information.

Palo Alto Networks customers receive protections from and mitigations for CVE-2023-36884 in the following ways:

  • Organizations can engage the Unit 42 Incident Response team for specific assistance with this threat and others.
  • Cortex XDR and XSIAM agents help protect against post-exploitation activities associated with exploitation of CVE-2023-36884 as well as use Local Analysis detections for RomCom binaries on Windows environments.
  • Cortex XDR blocks the publicly known exploit chain for CVE-2023-36884.
  • Advanced WildFire can help detect and prevent attacks involving highly evasive malware.
  • Next-Generation Firewall with Advanced Threat Prevention security subscriptions can help block associated payloads and attack.
  • Cloud-Delivered Security Services can categorize C2 domains associated with this activity as malicious.

Unit 42 will continue to monitor the situation for updated information, release of proof-of-concept code and evidence of more widespread exploitation. This brief will be updated as more information on the vulnerability and mitigations becomes available.

Vulnerabilities Discussed CVE-2023-36884, RomCom RAT

Details of the Vulnerability

With July's Patch Tuesday release, Microsoft disclosed a zero-day Office and Windows HTML Remote Code Execution Vulnerability, CVE-2023-36884, which it rated “important” severity. Microsoft has observed active in-the-wild exploitation of this vulnerability using specially crafted Microsoft Office documents.

It should be noted that all exploitation examples seen so far require the user to open a malicious document. After the user opens the malicious document, it downloads a file containing a script that initiates an iframe injection resulting in the download of a malicious payload. It is not currently clear whether the underlying vulnerability is reliant on office documents for delivery. It is possible the vulnerability could be exploited using other, yet to be seen, delivery mechanisms. For example, Microsoft’s security advisory includes a mitigation that recommends adding wordpad.exe as one of nine applications under a registry key that would block urls using the file: protocol originating from untrusted zones, such as the Internet zone or Restricted Sites zone.

Current Scope of the Attack

Unit 42 Threat Intelligence can confirm that this vulnerability has been utilized since at least July 3, 2023. Early exploitation of this vulnerability includes the use of the RomCom malware, which was reported by Microsoft on July 11, 2023. RomCom, originally observed by Unit 42 in May 2022, is a low-volume malware family that was historically observed in various attacks throughout the past year, including ransomware attacks, as well as targeted espionage-related attacks. The malware acts as a Remote Access Trojan (RAT), and provides an attacker with various capabilities including, but not limited to, directory listings, filesystem modifications, uploading and downloading files, and execution of processes.

Interim Guidance

Microsoft recommends blocking Office applications from creating child processes or setting the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. See the Security Updates page for more information.

Conclusion

Based on the amount of publicly available information and current research and analysis, Palo Alto Networks highly recommends applying the patch for Microsoft Office to protect your organization. Palo Alto Networks and Unit 42 will continue to monitor the situation for updated information, release of proof-of-concept code and evidence of more widespread exploitation. 

Palo Alto Networks customers are protected by our products and services, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks has shared our findings, including file samples and indicators of compromise, with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Palo Alto Networks Product Protections for CVE-2023-36884

Palo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this threat.

Unit 42 Incident Response

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Advanced Wildfire

Advanced WildFire uses multiple techniques (Automated Unpacking, Dependency Emulation, Run-Time Memory Analysis, Machine Learning, Static Analysis, Dynamic Analysis, Heuristic Analysis, and others) to detect and protect against RomCom and other highly evasive malware and variants of such.

Next-Generation Firewalls and Prisma Access With Advanced Threat Prevention

Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the associated payloads and attack via the following Threat Prevention signatures: 86775, 86776, 86777.

Cloud-Delivered Security Services for the Next-Generation Firewall

Command and control (C2) domains associated with this malicious activity are categorized as malicious by Advanced URL Filtering and DNS Security.

Cortex XSOAR

Cortex XSOAR has released a response pack and playbook for CVE-2023-36884 to help automate and speed the mitigation process.

This playbook automates the following tasks:

  • Indicators of compromise (IoC) downloads and hunting
  • Threat hunting queries related to behavior identified as part of exploitation patterns
  • Microsoft mitigation actions

The playbook can be triggered manually or run as a job.

Cortex XDR and XSIAM

Cortex XDR and XSIAM agents help protect against post-exploitation activities described in this article using Behavioral Threat Protection, the multiple protection modules and detect suspicious activity using Cortex Analytics as well as using Local  Analysis detections for RomCom binaries on Windows environments. Cortex XDR blocks the publicly known exploit chain for CVE-2023-36884.

Indicators of Compromise

  • a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f
  • e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539
  • 3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97
  • 48142dc7fe28a5d8a849fff11cb8206912e8382314a2f05e72abad0978b27e90
  • 07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d
  • 5f40cb4852ec50ee24f3cd951a172c725d02012d17dd645b6ce22d324aa140ad
  • 1a7bb878c826fe0ca9a0677ed072ee9a57a228a09ee02b3c5bd00f54f354930f
  • 0501d09a219131657c54dba71faf2b9d793e466f2c7fdf6b0b3c50ec5b866b2a
  • 74.50.94[.]156 
  • 94.232.40[.]34
  • 66.23.226[.]102
  • 104.234.239[.]26
  • 65.21.27[.]250
  • finformservice[.]com
  • altimata[.]org
  • penofach[.]com
  • bentaxworld[.]com
  • wexonlake[.]com
  • ukrainianworldcongress[.]info

Updated July 13, 2023, at 3:00 p.m. PT to add Advanced Wildfire protections information.

Updated July 13, 2023, at 8:45 p.m. PT to note status of patch and detection guidance. 

Updated July 14, 2023, at 11:58 a.m. PT to add protections information for Next-Generation Firewall and Cloud-Delivered Security Services. Cortex XDR and XSIAM protections information was updated. Details, attack scope, interim guidance, and threat hunting queries were added. IoCs are now listed. 

Updated July 17, 2023, at 4:15 p.m. PT to add Cortex XSOAR information.

Updated August 9, 2023, at 10:35 a.m. PT to include patch released by Microsoft.

Updated August 10, 2023, at 10:25 a.m. PT to include additional Cortex XDR protections.

Enlarged Image