Two separate attack campaigns exploited the same Microsoft zero-day vulnerability to infect users with spyware and crimeware.
The security hole known as CVE-2017-0199 first made headlines in early April.
The vulnerability enables malicious actors to execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document laden with an embedded exploit.
Following its initial disclosure, researchers observed attackers exploiting the bug, which affects all versions of Microsoft Office, to infect users with Dridex and other malware.
Microsoft patched the vulnerability in its Patch Tuesday on 11 April 2017. Even so, those Dridex campaigns are still sending fake photocopier documents to unsuspecting users at this time.
As it turns out, attackers have been abusing CVE-2017-0199 for a lot longer than the security community first thought.
FireEye threat researchers Ben Read and Jonathan Leathery elaborate on that point:
“As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the ‘Donetsk People’s Republic’ exploited CVE-2017-0199 to deliver FinSpy payloads. Though we have not identified the targets, FinSpy is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.”
This particular campaign leveraged a file called СПУТНИК РАЗВЕДЧИКА.doc, a malicious version of a popular military training manual, to distribute FinSpy. Unfortunately, the malware was heavily obfuscated, which prevented FireEye from analyzing its command and control (C&C) information. All that’s known is FinSpy originates from Gamma Group, a firm which conducts “lawful intercept” for its clients.
It’s unclear which nation might have sponsored this malicious activity.
But that’s not all.
Beginning on 4 March 2017, FireEye detected malicious documents exploiting CVE-2017-0199 being used to infect users with the LatentBot credential-stealer.
This malware campaign appears to be connected to the FinSpy attacks, as Read and Leathery explain:
“Shared artifacts in the FinSpy and LatentBot samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source. Malicious documents used in both campaigns share a last revision time of: 2016-11-27 22:42:00”
No doubt attackers will continue to abuse the vulnerability to distribute Dridex and other malware. With that in mind, users should avoid clicking on suspicious links and email attachments. They should also implement their all software fixes, including for Microsoft Office, on a timely basis.