• Home
  • News
  • Security
  • Recent Microsoft 0-Day Used for Cyber-Espionage and Mundane Malware Distribution

Recent Microsoft 0-Day Used for Cyber-Espionage and Mundane Malware Distribution

  • April 13, 2017
  • 06:20 AM
  • 0

The saga of CVE-2017-0199, a recently patched zero-day vulnerability affecting Microsoft Office and WordPad, just got a little stranger yesterday after cyber-security firm FireEye revealed the vulnerability was used by both cyber-criminals pushing mundane malware, and also by state-sponsored cyber-espionage groups.

This twisted tale starts in July 2016, when security researcher Ryan Hanson discovered a flaw in RTF files that he could exploit to execute code on the underlying operating system.

After finishing his research, Hanson submitted a write-up on the three bugs he found to Microsoft in October 2016, via the company's bug bounty program.

Uncharacteristic to Microsoft, the company took almost six months to fix the three bugs discovered by Hanson, delivering patches for all three (CVE-2017-0106, CVE-2017-0199, and CVE-2017-0204) in April's Patch Tuesday.

A few days before Microsoft patched the zero-day, news about it broke via blog posts from McAfee and FireEye, both companies revealing the zero-day was under active exploitation.

Zero-day used to target pro-Russian separatists in Ukraine

Unfortunately, this long patching period gave others the time to discover the same flaw. While initially McAfee and FireEye restrained from revealing any details about the zero-day, now that a patch is available, several security firms are now sharing more behind-the-scenes details.

According to FireEye, the zero-day first came on their radar on January 25, 2017, when they discovered a FinSpy module exploiting the flaw.

FinSpy is the name of a hacking toolkit sold by Gamma Group. This product is usually sold to government and law enforcement agencies across the world and is not something you'd find on underground hacking forums.

This particular FinSpy campaign targeted Russian-speaking users with weaponized Word documents that would eventually install regular FinSpy backdoors on their computers. The documents referenced the Donetsk People's Republic, hinting at a campaign targeting the pro-Russian rebels in Eastern Ukraine.

While FireEye discovered only this campaign, the cyber-security firm believes Gamma Group made available this new Microsoft zero-day to all of its clients, meaning it was likely used in other countries where the company sold its "lawful intercept" spyware.

Crimeware groups get their hands on the zero-day

Two months after this campaign, towards the end of March, FireEye says it detected the zero-day again, but this time used by a group of cyber-criminals spreading LatentBot, a sophisticated backdoor trojan, usually found in enterprise environments and used for economic espionage campaigns.

"Shared artifacts in the FINSPY and LATENTBOT samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source," FireEye experts discovered.

"Malicious documents used in both campaigns share a last revision time of: 2016-11-27 22:42:00," experts added, hinting that someone was actively selling an exploit for Microsoft's zero-day to various groups.

Revision time artifact shared between FinSpy and LatentBot Samples
Revision time artifact shared between FinSpy and LatentBot Samples [Source: FireEye]

This group apparently started a yard sale after McAfee and FireEye disclosed the zero-day in public. Fearing that a patch was coming, this group shared (most likely sold) the zero-day exploit with other crimeware groups.

For example, on Monday, Proofpoint detected a spam campaign using the zero-day exploit that pushed the Dridex banking trojan.

Similarly, on the same day, cyber-security firm Netskope discovered a similar spam flood, but this time pushing Godzilla, a generic malware downloader.

Zero-Day affected WordPad, not just Office

While initially this zero-day was classified as an Office vulnerability, Microsoft's security advisory revealed this vulnerability also affected WordPad, a free document viewer included by default with all Windows versions.

This means that if users didn't have Office installed, they were at risk if they chose to open the booby-trapped files with WordPad. In this case, the exploit packed within the file would execute, download an HTA (HTML application) file disguised as an RTF, which in turn would run PowerShell commands that exploited the user's computer.

The WordPad exploitation angle is also more dangerous because WordPad doesn't include Protected View, a protection mechanism that blocked the zero-day's exploitation in Office.

Nevertheless, if attackers chained CVE-2017-0199 with CVE-2017-0204, Hanson says they could also bypass Office Protected View if they wanted to.

Because Windows updates take some time before reaching users' computers, and some admins purposely delay them, many are still vulnerable to this vulnerability.

Related Articles:

0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative

Exploit Published for Unpatched Flaw in Windows Task Scheduler

Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day

Windows 10 Audio Not Working After Installing Latest Windows Updates

Microsoft Fix for Windows JET Database Bug Not Perfect, Micropatch Available

Catalin Cimpanu
Catalin Cimpanu is the Security News Editor for Bleeping Computer, where he covers topics such as malware, breaches, vulnerabilities, exploits, hacking news, the Dark Web, and a few more. Catalin previously covered Web & Security news for Softpedia between May 2015 and October 2016. The easiest way to reach Catalin is via his XMPP/Jabber address at campuscodi@xmpp.is. For other contact methods, please visit Catalin's author page.
Post a Comment Community Rules
You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Newsletter Sign Up

To receive periodic updates and news from BleepingComputer, please use the form below.


Remember Me
Sign in anonymously


Help us understand the problem. What is going on with this comment?

Learn more about what is not allowed to be posted.