Customer Advisory: Awareness | Storm-0978 (RomCom): Cyber-espionage Campaign Targeting NATO Talks, Exploiting CVE-2023-36884

Source Material:

• Microsoft Threat Intelligence
• BlackBerry Threat Research and Intelligence Team
• Computer Emergency Response Team of Ukraine
• Trend Micro

Targeted Industries: Public Administration and Educational Services, specifically those involved in international affairs and global policy-making

Executive Summary

This cyber threat intelligence report provides an in-depth analysis of recent cyber-espionage activities conducted by the threat group Storm-0978, also known as RomCom. The report sheds light on the tactics, techniques, and procedures (TTPs) employed by the threat actors, their intentions, objectives, and capabilities, as well as the potential risks and impacts of their activities. Our findings are based on information reported by Microsoft, BlackBerry, and CERT-UA utilizing various analytic techniques.

The threat actors employed spear-phishing emails with malicious attachments to gain initial access, leveraging a remote code execution vulnerability (CVE-2023-36884) before its disclosure to Microsoft. They exhibit advanced social engineering skills and demonstrate a high level of technical capability. The threat actors’ political objective is to disrupt Ukraine’s NATO membership talks while gathering sensitive intelligence.

The report highlights the potentially severe impact of Storm-0978’s activities, including significant data breaches and the risk of geopolitical instability. The targeted organizations, specifically those involved in international affairs and global policy-making, face significant risk. To counter these threats, recommendations include implementing robust email security measures, multi-factor authentication, regular system patching, and training staff to recognize and report phishing attempts.

The findings of this report emphasize the need for organizations to enhance their cybersecurity posture and remain vigilant against the evolving tactics of Storm-0978. Organizations can strengthen their resilience against this threat by implementing the recommended mitigation actions and protecting their critical assets and sensitive information.

ATI Insights & Determinations

• Storm-0978 displays advanced social engineering skills and technical capabilities, evidenced by their sophisticated spear-phishing techniques and exploitation of undisclosed vulnerabilities to deliver custom backdoors.
• The threat actors demonstrate their intention to influence geopolitical events, evidenced by their targeting of organizations with sensitive intelligence related to Ukraine and NATO.
• The targeted organizations, particularly those involved in international affairs, face a significant risk from Storm-0978’s activities, including potential severe data breaches and geopolitical instability.
• Storm-0978 will likely continue targeting organizations involved in geopolitical events, focusing on influencing or disrupting Ukraine’s potential NATO membership. Their tactics, techniques, and procedures (TTPs) are expected to evolve, incorporating more advanced exploits and intrusion methods. Vigilance and proactive defense measures are crucial in mitigating this threat.

Introduction

This cyber threat intelligence report provides an in-depth analysis of recent cyber-espionage activities conducted by the threat group Storm-0978 also known as RomCom, as reported by Microsoft and BlackBerry, respectively. The report aims to shed light on the tactics, techniques, and procedures (TTPs) employed by Storm-0978, their intentions, objectives, and capabilities, as well as the potential risks and impacts of their activities. This report’s purpose is to enhance the understanding of this latest activity among cybersecurity professionals, enabling them to detect, respond to, and mitigate the threat posed by Storm-0978, thereby strengthening the overall cybersecurity posture. Questions or feedback about this intelligence can be submitted here.

Overview & Background

A recent blog post from Microsoft provides additional information to BlackBerry’s previous blog post concerning the activities of Storm-0987 or RomCom, which targeted Ukraine and NATO membership talks at the 2023 NATO Summit in Vilnius, Lithuania. In Microsoft’s blog post, they highlight how the threat actors exploited a remote code execution vulnerability before it was disclosed to Microsoft. BlackBerry’s post provides a more detailed analysis of the threat actor’s tactics, techniques, and procedures (TTPs) and their potential impacts on global security and geopolitics.

Historically, the threat actor known as Storm-0987/RomCom has been involved in ransomware attacks and cyber espionage operations. This actor has been known to employ sophisticated and less sophisticated techniques to infiltrate systems and networks, often with the intent of financial gain or espionage. The RomCom backdoor can receive approximately 42 commands, including running AnyDesk and freeSSHd, exfiltrating data, or downloading additional files.

Threat Analysis

The threat actor has demonstrated a sophisticated blend of tactics and techniques in their operations. Their latest campaign, motivated by political objectives, involved spear-phishing emails with malicious attachments for initial access that exploited a remote code execution vulnerability before disclosure to Microsoft (CVE-2023-36884) to deliver a backdoor with capabilities similar to RomCom. The threat actors crafted the emails to appear legitimate. They included links to two documents hosted on a domain (ukrainianworldcongress[.]info) cloned from the legitimate ukrainianworldcongress.org website and created on 26 June and resolving to the IP address 213.139.204[.]13 [AS 395092( SHOCK-1 )].

Indicators include specific email subjects and senders (“NATO Summit, 11-12 July 2023″/uwcukraine@ukrainianworldcongress[.]info), malicious file hashes, and unique network traic patterns associated with the backdoor. These IOCs can identify Storm-0987 activity and create new correlation rules, alerts, or filters. The data sources that contain these reported TTPs and indicators include email servers, endpoint protection platforms, and network monitoring tools.

To correlate malicious activity, an alert on a suspicious email can be associated with endpoint logs showing the execution of a suspicious file. Similarly, network logs can be correlated with endpoint logs to identify the full scope of an intrusion.

The threat actor’s intention for this campaign is political, aiming to disrupt Ukraine’s NATO membership talks and gather intelligence. The group is highly capable, demonstrating advanced social engineering and malware development skills.

Risk & Impact Assessment

Based on the information gathered from the blog posts, it is evident that targeted organizations face a significant risk. The threat actor demonstrates advanced capabilities in cyber espionage and financially motivated attacks. The group’s recent activities indicate a shift in focus towards organizations involved in Ukraine’s NATO membership talks. This shift suggests that the threat actor is interested in obtaining sensitive political information, which could have far-reaching implications for the targeted organizations and nations.

The impact of Storm-0987’s activities is potentially severe. Their multi-stage intrusions can lead to significant data breaches. The threat actor’s focus on Ukraine’s NATO membership talks also raises concerns about geopolitical instability. If sensitive information about these talks is leaked or manipulated, it could disrupt diplomatic relations and potentially escalate tensions. Furthermore, the group could remain undetected for extended periods, allowing them to exfiltrate sensitive data before defensive measures can be implemented. Therefore, organizations must prioritize cybersecurity measures to promptly detect and mitigate such threats.

Outlook

The threat actor known as Storm-0987 or RomCom has demonstrated a clear pattern of targeting political organizations, particularly those involved in Ukraine’s NATO membership talks. Their use of sophisticated techniques such as spear-phishing, credential harvesting, and lateral movement within networks indicates a high level of technical capability and strategic planning.

Given their recent activities and President Biden’s statement on 13 July that Ukraine will join NATO, it is likely that Storm-0987 will continue to target similar organizations, particularly those involved in geopolitical events. The group’s focus on Ukraine and NATO suggests they are interested in influencing or disrupting Ukraine’s potential NATO membership. Therefore, organizations involved in these discussions, or those with a significant stake in the outcome, should be particularly vigilant.

Furthermore, the group’s use of custom malware and zero-day exploits suggests that they are well-resourced and capable of developing new attack vectors. As such, we can expect that their tactics, techniques, and procedures (TTPs) will continue to evolve, potentially incorporating more advanced exploits or novel intrusion and data exfiltration methods.

ATI Actions & Recommendations

ATI has added observables to our indicator feeds and we conduct further detection assessment and threat hunting from data reported in this intelligence report. However, not all activity can be hunted, detected, or monitored due to limitations in log sources received by Deepwatch.

To counter techniques used by Storm-0987, organizations should consider the following actions:

• Implement robust email security measures such as DMARC, DKIM, and SPF to prevent spear-phishing attacks. Regularly train staff to recognize and report phishing attempts.
• Implement multi-factor authentication (MFA) across all systems, particularly for privileged accounts, to mitigate the risk of credential harvesting.
• Regularly update and patch all systems to protect against known vulnerabilities. Consider implementing a vulnerability management program to identify and remediate vulnerabilities systematically.

Additionally, Microsoft recommends the following actions to mitigate the risk of Storm-0987 and CVE-2023-36884 exploitation attempts:

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Defender for Office 365 customers should ensure that Safe Attachments and Safe Links protection is enabled for users with Zero-hour Auto Purge
• (ZAP) to remove emails when a URL gets weaponized post-delivery.
• Microsoft 365 Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:
  • Block process creations originating from PsExec and WMI commands – Some organizations might experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI, including Impacket’s WMIexec.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  • Use advanced protection against ransomware
  • Block all Office applications from creating child processes
• In Storm-0987s current intrusion chain, using the Block all Office applications from creating child processes rule prevents the vulnerability from being exploited.
• Organizations that cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to avoid exploitation. Please note that while this registry setting would mitigate exploitation of this issue, it could affect regular functionality for specific use cases related to these applications.

BOLO

We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the threat hunting guidance provided below, and the observables listed in the source material.

Be On the Lookout (BOLO)

• AV/EDR alerts related to the following
  • Registry dumping of the SAM hive
  • Exploitation of CVE-2023-36884
  • Impacket (SMBExec & WMIExec)
• Anomalous child processes of Microsoft Word (WINWORD.EXE)
  • Ex. WINWORD.EXE spawning msdt.exe (may be indicative of Follina/CVE-2022-30190 exploitation)
• Anomalous outbound network connections from WINWORD.EXE or its children processes
  • Especially on TCP ports 80, 445, and 139 (HTTP & SMB)
• In the absence of process network telemetry, it may be possible to hunt this activity by examining web proxy data for outbound connections on port 80 with a rare user agent related to microsoft office
• Outbound web traic containing the patterns below:
  • ?d= in the URL
    • Ex. hxxp://74.50.94[.]156/MSHTML_C7/zip_k.asp?d=34.141.245[.]25_f68f9_
  • “mds/ ” in the URL
    • Ex. hXXp://65[.]21.27.250:8080/mds/D————————
  • “/MSHTML_*/” in the URL
    • hXXp://74[.]50.94.156/MSHTML_C7/RFile[.]asp
    • hxxp://74.50.94[.]156/share1/MSHTML_C7/1/
• Presence of C:\\Users\\Public\\AccountPictures\\Defender\\Security.dll or addition of registry run keys referencing it
• External emails containing links to .doc or .docx files as shown in Figure 3
• Presence/execution of astrachat.msi
• Modification of the Windows Registry as shown below
  • [HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{C90250F3-4D7D  4991-9B69-

A5C5BC1C2AE6}\InProcServer32]

• @=”%PUBLIC%\\Libraries\\prxyms<number>.dll”

• Presence/reference to the following:
  • %PUBLIC%\Libraries\PhotoDirector.dll
  • %PUBLIC%\Libraries\BrowserData\procsys.dll
  • %PUBLIC%\Libraries\upd-fil<number>.dll0
  • %PUBLIC%\Libraries\dsk.exe
  • %PUBLIC%\Libraries\wallet.exe
  • %PUBLIC%\Libraries\7z.dll
  • %PUBLIC%\Libraries\7z.exe
  • %PUBLIC%\Libraries\7za.exe
  • %PUBLIC%\Libraries\msg.dll
  • %PUBLIC%\Libraries\FileInfo.dll
• Usage of the following commands:
  • %SYSTEMROOT%\System32\control.exe %TEMP%\testdll64.cpl
  • %TEMP%\testdll.dll
  • rundll32.exe %TEMP%\testdll.dll
  • taskkill.exe /f /im iexplore.exe
• Anomalous/unauthorized usage of 3proxy.exe, plink.exe, or AnyDesk
• Anomalous ports being opened via rundll32.exe (especially in the range 5554-5600)

↑