In-depth analysis of July 2023 exploit chain featuring CVE-2023-36884 and CVE-2023-36584

During their analysis of a July 2023 campaign targeting groups supporting Ukraine’s admission into NATO, Unit 42 researchers discovered a new vulnerability for bypassing Microsoft’s Mark-of-the-Web (MotW) security feature.

This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group, in reference to their use of the RomCom backdoor). This group used a highly complex and well-developed exploit chain leveraging a remote code execution (RCE) vulnerability in Microsoft Office designated CVE-2023-36884 to infect its targets with malware.

Read more…
Source: Palo Alto Unit 42