Potential CVE-2023-36884 Exploitation - File Downloads

 1title: Potential CVE-2023-36884 Exploitation - File Downloads
 2id: 6af1617f-c179-47e3-bd66-b28034a1052d
 3status: experimental
 4description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
 5references:
 6    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
 7author: X__Junior
 8date: 2023/07/12
 9tags:
10    - attack.command_and_control
11    - cve.2023.36884
12    - detection.emerging_threats
13logsource:
14    category: proxy
15detection:
16    selection:
17        cs-method: 'GET'
18        c-uri|contains:
19            - '/ex001.url'
20            - '/file001.search-ms'
21            - '/file001.url'
22            - '/file001.vbs'
23            - '/file1.mht'
24            - '/o2010.asp'
25            - '/redir_obj.html'
26            - '/RFile.asp'
27            - '/zip_k.asp'
28            - '/zip_k2.asp'
29            - '/zip_k3.asp'
30    condition: selection
31falsepositives:
32    - Unknown
33level: medium

References

• RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit

  

  The BlackBerry Threat Research and Intelligence team has uncovered malicious lures targeting guests of the upcoming NATO Summit who may be providing support to Ukraine. Our analysis leads us to believe that that the threat actor known as RomCom is likely behind this operation.

  
  Read More

Related rules

• Potential CVE-2023-36884 Exploitation - Share Access
• Potential CVE-2023-36884 Exploitation - URL Marker
• Potential CVE-2023-36884 Exploitation Pattern
• Potential CVE-2303-36884 URL Request Pattern Traffic
• DarkGate - Autoit3.EXE File Creation By Uncommon Process