CVE-2023-36884 is an Office and Windows HTML Remote Code Execution Vulnerability that let threat actors execute a remote HTML file bypassing all Office security checks.
This CVE is currently used in the wild by a TA called Storm-097, also referred to as RomCom.
The dPhish R&D team has successfully developed a detection method and forensic analysis technique specifically designed to identify CVE-2023-36684.
Forensics Analysis
We will forensically analysis one of the two samples discovered by Blackbeary to demonstrate how to identify the usage of this CVE
Sample SHA265: 3a3138c5add59d2172ad33bc6761f2f82ba344f3d03a2269c623f22c1a35df97
This file is a docx file accordingly we know that it’s a ZIP compressed file so the first step that we thought about is decompressing the ZIP file and look in its content
Then we opened the Word file thinking that it could be similar to the template injection technique. and we found an RTF file which is not usual to see, so we promptly examined this file feeling that it will be part of the creating this vulnerability.
going through the RTF file in a hex editor we noticed a hex bulk
so we decoded it to find the URL that the docx is communicating with
like though we can investigate adocx file searching for CVE-2023-36884.
Automated Detection
knowing that the RTF file is a main thing in this CVE we created a detection logic searching for an RTF file inside the decompressed version of the docx file inside the “word” directory knowing that if an RTF file attached inside a docx file it will be converted to doc and will be in the embedding folder inside the decompressed version of the docx so no false positive of that logic.
Also we created a Sublime Security rule to detect this CVE that could be found here
Brief about dPhish
dPhish Suite is a comperhensive anti phishing suite that aims to Assess, Enhance, and Add the company’s pre-, during, and post-phishing countermeasures by proactively evaluating and strengthening your human and technological defenses.
Using the dPhish suite, the company can benefit from a centralized portal to efficiently manage all phishing-related tasks. Gain insights about the gaps and guidance on resolving them which significantly reduces the risk of falling victim to phishing attacks.
Moreover, in the event of a successful phishing incident, the company will be empowered to respond promptly and gain visibility into any compromised credentials being traded on the internet or dark web.