{"id":130883,"date":"2023-07-11T10:30:00","date_gmt":"2023-07-11T17:30:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=130883"},"modified":"2024-07-03T07:44:58","modified_gmt":"2024-07-03T14:44:58","slug":"storm-0978-attacks-reveal-financial-and-espionage-motives","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/07\/11\/storm-0978-attacks-reveal-financial-and-espionage-motives\/","title":{"rendered":"Storm-0978 attacks reveal financial and espionage motives"},"content":{"rendered":"\n
\nAugust 8, 2023 update:<\/strong> Microsoft released security updates<\/a> to address CVE-2023-36884. Customers are advised to apply patches, which supersede the mitigations listed in this blog, as soon as possible.<\/p>\n<\/blockquote>\n\n\n\n
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884<\/a>, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.<\/p>\n\n\n\n
Storm-0978 (DEV-0978; also referred to as RomCom, the name of their backdoor, by other vendors) is a cybercriminal group based out of Russia, known to conduct opportunistic ransomware and extortion-only operations, as well as targeted credential-gathering campaigns likely in support of intelligence operations. Storm-0978 operates, develops, and distributes the RomCom backdoor. The actor also deploys the Underground ransomware, which is closely related to the Industrial Spy ransomware first observed in the wild in May 2022. The actor\u2019s latest campaign detected in June 2023 involved abuse of CVE-2023-36884 to deliver a backdoor with similarities to RomCom.<\/p>\n\n\n\n
Storm-0978 is known to target organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Storm-0978\u2019s targeted operations have impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in Ukrainian affairs. Identified ransomware attacks have impacted the telecommunications and finance industries, among others.<\/p>\n\n\n\n
Microsoft 365 Defender detects multiple stages of Storm-0978 activity. Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. In addition, customers who use Microsoft 365 Apps (Versions 2302 and later<\/a>) are protected from exploitation of the vulnerability via Office. Organizations who cannot take advantage of these protections can set the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION<\/a><\/em> registry key to avoid exploitation. More mitigation recommendations are outlined in this blog.<\/p>\n\n\n\n
\nMicrosoft 365 Defender is becoming Microsoft Defender XDR. Learn more<\/a>.<\/p>\n<\/blockquote>\n\n\n\n
Targeting<\/h2>\n\n\n\n
Storm-0978 has conducted phishing operations with lures related to Ukrainian political affairs and targeting military and government bodies primarily in Europe. Based on the post-compromise activity identified by Microsoft, Storm-0978 distributes backdoors to target organizations and may steal credentials to be used in later targeted operations.<\/p>\n\n\n\n
The actor\u2019s ransomware activity, in contrast, has been largely opportunistic in nature and entirely separate from espionage-focused targets. Identified attacks have impacted the telecommunications and finance industries.<\/p>\n\n\n\n
Tools and TTPs<\/h2>\n\n\n\n
Tools<\/h3>\n\n\n\n
Storm-0978 uses trojanized versions of popular, legitimate software, leading to the installation of RomCom, which Microsoft assesses is developed by Storm-0978. Observed examples of trojanized software include Adobe products, Advanced IP Scanner, Solarwinds Network Performance Monitor, Solarwinds Orion, KeePass, and Signal. To host the trojanized installers for delivery, Storm-0978 typically registers malicious domains mimicking the legitimate software (for example, the malicious domain advanced-ip-scaner[.]com<\/em>).<\/p>\n\n\n\n
In financially motivated attacks involving ransomware, Storm-0978 uses the Industrial Spy ransomware<\/a>, a ransomware strain first observed in the wild in May 2022, and the Underground ransomware. The actor has also used the Trigona ransomware in at least one identified attack.<\/p>\n\n\n\n
Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884<\/a>, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass.<\/p>\n\n\n\n
Ransomware activity<\/h3>\n\n\n\n
In known ransomware intrusions, Storm-0978 has accessed credentials by dumping password hashes from the Security Account Manager (SAM) using the Windows registry. To access SAM, attackers must acquire SYSTEM-level privileges. Microsoft Defender for Endpoint detects this type of activity with alerts such as Export of SAM registry hive<\/em>.<\/p>\n\n\n\n
Storm-0978 has then used the Impacket framework\u2019s SMBExec and WMIExec functionalities for lateral movement.<\/p>\n\n\n\n
Microsoft has linked Storm-0978 to previous management of the Industrial Spy ransomware market and crypter. However, since as early as July 2023, Storm-0978 began to use a ransomware variant called Underground, which contains significant code overlaps with the Industrial Spy ransomware.<\/p>\n\n\n