Hackers using Weaponized Office Document to Exploit Windows Search RCE

A new attack chain campaign has been discovered, which involves the exploitation of CVE-2023-36884 and CVE-2023-36584. CVE-2023-36884 was a remote code execution vulnerability, and CVE-2023-36584 was a security bypass vulnerability that can be used to exploit CVE-2023-36884.

CVE-2023-36884 was given a severity rating of 8.8 (High), and CVE-2023-36584’s severity rating was 5.4 (Medium). However, the threat actor attributed to the exploit chain was a pro-Russian APT group known as Storm-0978 aka RomCom Group.

Windows Search RCE Flaw

As part of the initial attack chain, a .docx file was found that was not tagged as MotW (Mark of the Web), leading to the “protected view” being disabled when opening the document.

An MS-DOCX file is a compressed ZIP archive file that consists of an XML file at word/document.xml and consists of the document’s text and formatting.

However, the document.xml file consists of an anchor for imported external content element altchunk which imports an RTF content. This RTF file afchunk.rtf contains two malicious Object Linking and Embedding (OLE) objects.

First Stage of the Exploit Chain

The malicious OLE objects in afchunk.rtf requests content from two URLs,

  • \\104.234.239[.]26\share1\MSHTML_C7\file001.url
  • hxxp://74.50.94[.]156/MSHTML_C7/start.xml

If the victim hosts accesses \\104.234.239[.]26\share1\MSHTML_C7\file001.url, the victim’s NTLM credentials, which contain the hostname and username, leaked to the threat actor-controlled SMB server. However, the URLs present two files: file001.url and file001.htm.

Abusing the Windows Search Handler

The file001.htm has a JS that uses iframes to load multiple files. The first filename consists of the victim’s IP address and five five-digit identifier that ends with file001.search-ms. Following this, three HTTP requests using the string .zip_k* in the URLs are made.

New MotW Bypass – CVE-2023-36584

Windows search scans for extensions of each file to determine the contents. When it finds internet files, it writes the file to a temporary directory and adds MotW to it. This operation has a race condition that can be exploited to bypass the MitW. 

There were three techniques that were related to Server Side ZIP Swap (Metadata TOCTOU), Server Side Delay (Close Operation) and Server Side Delay (Read Operation). 

Server Side ZIP Swap – Metadata TOCTOU

This technique is exploitable when the ZIP archive is downloaded from a remote server. The zipfldr.dll file reads the ZIP file’s header and caches the data in memory.

Once the file header is read, the ZIP with MotW can be replaced with a legitimate file name using the TOCTOU condition, bypassing the MotW to the file.

Server Side Delay – Close Operation

This technique is associated with the Zone. Identifier ADS, which can be provided with a time delay using a SMB server. This technique was possible due to the SMB2 protocol’s close operation, which contains a close request and a close response.

Source: Palo Alto
Source: Palo Alto

Server Side Delay – Read Operation

Windows reads a portion of large files that are from a remote share. If there is random data at the end of the file, the writing of the file can be delayed from the SMB server before Windows adds MotW to the file.

The file is usable during the writing process as it is opened with read/write dwShareMode.

A complete report about the attack chain has been published by Palo Alto, which provides detailed information about exploitation techniques, methods of operation, and other information.

Indicators of Compromise

Read: SHA256 hash – Filename

  • a61b2eafcf39715031357df6b01e85e0d1ea2e8ee1dfec241b114e18f7a1163f – Overview_of_UWCs_UkraineInNATO_campaign.docx
  • 0896e7c5433b2d426a30a43e7f4ef351fa870be8bd336952a0655392f8f8052d – word/document.xml
  • b5731baa7920b4649add429fc4a025142ce6a1e1adacb45850470ca4562d5e37 – word/_rels/document.xml.rels
  • e7cfeb023c3160a7366f209a16a6f6ea5a0bc9a3ddc16c6cba758114dfe6b539 – afchunk.rtf
  • 3d0dae359325e8e96cf46459c38d086279865457379bd6380523727db350de43 – file001.url
  • 48142dc7fe28a5d8a849fff11cb8206912e8382314a2f05e72abad0978b27e90 – start.xml
  • bfe3ebcc92a4a7d294b63ce0d7eba6313980d982709a27b337abe32651b63856 – file001.zip
  • c94e2bfd4e2241fed42113049c84ac333fcff340cc202afe8926f8e885d5fca3 – 2222.chm
  • f08cc922c5dab73f6a2534f8ceec8525604814ae7541688b7f65ac9924ace855 – 1111.htm
  • cdc39ce48f8f587c536450a3bd0feb58bf40b59b310569797c1c9ae8d28b2914 – RFile.asp
  • fd4fd44ff26e84ce6587413271cf7ff3960471a55eb0d51b0a9870b577d66f4a – file001.htm
  • 4fc768476ee92230db5dbc4d8cbca49a71f8433542e62e093c3ad160f699c98d – redir_obj.htm
  • 0adb2734a1ca0ccaf27d8a46c08b2fd1e19cb1fbd3fea6d8307851c691011f0f – file1.htm
  • 7a1494839927c20a4b27be19041f2a2c2845600691aa9a2032518b81463f83be – file1.mht
  • 20f58bd5381509072e46ad79e859fb198335dcd49c2cb738bd76f1d37d24c0a7 – fileH.htm
  • ee46f8c9769858aad6fa02466c867d7341ebe8a59c21e06e9e034048013bf65a – fileH.mht
  • c187aa84f92e4cb5b2d9714b35f5b892fa14fec52f2963f72b83c0b2d259449d – ex001.url

The following network paths referenced in this research are associated with the July 2023 lure:

  • \\104.234.239[.]26\share1\MSHTML_C7\file001.url
  • \\104.234.239[.]26\share1\MSHTML_C7\ex001.url
  • file[:]//104.234.239[.]26/share1/MSHTML_C7/1/
  • file[:]//104.234.239[.]26/share1/MSHTML_C7/ex001.zip/file001.vbs
  • hxxp://74.50.94[.]156/MSHTML_C7/start.xml
  • hxxp://74.50.94[.]156/MSHTML_C7/zip_k.asp?d=
  • hxxp://74.50.94[.]156/MSHTML_C7/zip_k2.asp?d=
  • hxxp://74.50.94[.]156/MSHTML_C7/zip_k3.asp?d=
  • hxxps://www.ukrainianworldcongress[.]info/sites/default/files/document/forms/2023/Overview_of_UWCs_UkraineInNATO_campaign.docx
Posted in Cybersecurity

Leave a Comment

Your email address will not be published. Required fields are marked *