Table of Contents
Earlier this week, Microsoft disclosed reports of a series of remote code execution vulnerabilities, CVE-2023-36884, impacting Windows and Office products. Microsoft is actively investigating reports of this CVE being exploited in targeted attacks. It is crucial to take measures that will safeguard workstations as this remains unpatched.
What Happened
This cyber-attack involves the creation of a malicious Microsoft Office document that allows an attacker to execute remote code on a victim's computer. There is a catch. The victim must open the malicious file.
This attack is effective even when macros are disabled and when the document is opened in protected mode, a security feature within Microsoft Office. The attacker's goal is to install a backdoor on the victim's machine by executing a malicious file named 'Calc.exe' that acts as the backdoor.
The backdoor, known as RomCom, connects to a command-and-control (C2) server to register the victim and send back information such as the username, network adapter details, and RAM size of the compromised computer. To ensure consistency, the backdoor writes a file called 'security.dll' to run at system reboot automatically.
Once the backdoor is installed, it awaits commands from the C2 server. These commands may include activities such as exfiltrating data from the victim's computer, downloading additional malware payloads, deleting files or directories, creating processes with spoofed process IDs (PIDs), or establishing a reverse shell to provide remote access to the attacker.
Vulnerable files
Excel.exe
Graph.exe
MSAccess.exe
MSPub.exe
PowerPoint.exe
Visio.exe
WinProj.exe
WinWord.exe
Wordpad.exe
Recommended Action:
- Use Defender for office.
- Enable "Block all Office applications from creating child processes."
- If not possible, add the following REG_DWORD registry key with the value of the data equal to 1, as shown below:
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION
How ThreatLocker Mitigates Unpatched Office Zero-Day
Our objective here at ThreatLocker is to deny anything we have not seen previously in an environment. One of Microsoft’s recommendations for (CVE-2023-36884) is to put your EDR in “block mode.” ThreatLocker, by default, is always in “block mode” as we explicitly deny anything we don’t trust.
Furthermore, the second stage of this attack tries to execute a malicious program known as “Calc.exe.” This file is responsible for executing a connection to a C2 server. We have ringfenced office suite from speaking to PowerShell and the internet, thus preventing the connection before it is even initiated. With the ThreatLocker ringfencing™ solution, we are denying the interaction between your office suite and possible applications that can be leveraged from this exploit.