Microsoft zero-day vulnerability was being exploited for cyber-espionage

Mystery shrouds who was behind the attacks.

Spyware and crimeware campaigns share same Microsoft zero-day exploit

Two separate attack campaigns exploited the same Microsoft zero-day vulnerability to infect users with spyware and crimeware.

The security hole known as CVE-2017-0199 first made headlines in early April.

The vulnerability enables malicious actors to execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document laden with an embedded exploit.

Following its initial disclosure, researchers observed attackers exploiting the bug, which affects all versions of Microsoft Office, to infect users with Dridex and other malware.

Microsoft patched the vulnerability in its Patch Tuesday on 11 April 2017. Even so, those Dridex campaigns are still sending fake photocopier documents to unsuspecting users at this time.

Dridex malware

As it turns out, attackers have been abusing CVE-2017-0199 for a lot longer than the security community first thought.

FireEye threat researchers Ben Read and Jonathan Leathery elaborate on that point:

"As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the 'Donetsk People's Republic' exploited CVE-2017-0199 to deliver FinSpy payloads. Though we have not identified the targets, FinSpy is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage."

This particular campaign leveraged a file called СПУТНИК РАЗВЕДЧИКА.doc, a malicious version of a popular military training manual, to distribute FinSpy. Unfortunately, the malware was heavily obfuscated, which prevented FireEye from analyzing its command and control (C&C) information. All that's known is FinSpy originates from Gamma Group, a firm which conducts "lawful intercept" for its clients.

FinSpy Lure Purporting to be Russian Military Manual (Source: FireEye)

FinSpy Lure Purporting to be Russian Military Manual (Source: FireEye)

It's unclear which nation might have sponsored this malicious activity.

But that's not all.

Hard to touchBeginning on 4 March 2017, FireEye detected malicious documents exploiting CVE-2017-0199 being used to infect users with the LatentBot credential-stealer.

This malware campaign appears to be connected to the FinSpy attacks, as Read and Leathery explain:

"Shared artifacts in the FinSpy and LatentBot samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source. Malicious documents used in both campaigns share a last revision time of: 2016-11-27 22:42:00"

No doubt attackers will continue to abuse the vulnerability to distribute Dridex and other malware. With that in mind, users should avoid clicking on suspicious links and email attachments. They should also implement their all software fixes, including for Microsoft Office, on a timely basis.

Tags: , , , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , , ,

No comments yet.

Leave a Reply