At least two separate groups of attackers, with disparate motives, have been exploiting the Microsoft Word vulnerability disclosed several days ago. Researchers say that both government-backed attackers and cybercrime groups are targeting the flaw, installing high-level professional malware as well as banking malware.
Microsoft on Tuesday released a patch for the vulnerability, but attackers have been going after the bug for several months now. Limited details of the bug have been public for about a week, although it appears that at least a couple of different attack groups have known about it for much longer. Researchers at FireEye have identified a group of attackers using the vulnerability to install the notorious Finspy malware on machines owned by Russian-speaking victims as far back as January.
“As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the ‘Donetsk People’s Republic’ exploited CVE-2017-0199 to deliver FINSPY payloads. Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage,” Ben Read and Jonathan Leathery of FireEye said in an analysis of the attack activity.
Finspy is well-known in the security research community for its use by government-backed attackers. It has been used in operations against activists in several countries, including Egypt, Bangladesh, Italy, and others. Finspy is high-end commercial intrusion software used by law enforcement and and intelligence agencies. By contrast, some of the other attackers targeting the Word CVE-2017-0199 vulnerability are using the flaw to install a separate piece of malware known as Latenbot.
This malware has some surveillance and data-stealing capabilities, but it also can be used to erase the contents of a victim’s hard drive. Attack groups typically use the Latentbot malware as part of financial operations, and the FireEye researchers say it has been seen in attacks on the Word flaw since early March.
“As early as March 4, 2017, malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware. The malware, which includes credential theft capability, has thus far only been observed by FireEye iSIGHT Intelligence in financially motivated threat activity. Additionally, generic lures used in this most recent campaign are consistent with methods employed by financially motivated actors,” the analysis says.
Interestingly, there are several similarities between the attacks targeting the Word flaw, despite the different motives and targets.
“Shared artifacts in the FINSPY and LATENTBOT samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source,” Read and Leathery said.
In addition to the attacks using Finspy and Latentbot, researchers also have seen attackers targeting the Word vulnerability to push the Dridex banking trojan. Read and Leathery said that although just a single attacker has been seen using Finspy, it’s likely that will change soon.
“Though only one FINSPY user has been observed leveraging this zero-day exploit, the historic scope of FINSPY, a capability used by several nation states, suggests other customers had access to it,” they said.