Since at least January, unidentified state-sponsored attackers have been targeting victims in Russia with FINSPY spyware delivered in exploits for an Office and WordPad zero-day vulnerability patched on Tuesday by Microsoft.
Separately, the same zero-day has been leveraged in financially motivated cybercrime operations to infect computers with credential-stealing LATENTBOT malware.
Researchers won’t say definitively who the victims are, but it’s likely that the exploit was obtained from the same source.
“The vulnerability and its implemented exploits were seemingly adopted by multiple parties for entirely different campaigns,” said security researcher Claudio Guarnieri, technologist at Amnesty International and a fellow at Citizen Lab. Guarnieri has independently studied FINSPY and FinFisher campaigns in the past. “That of course raises the suspicion that it might have been supplied by the same source.”
The zero-day vulnerability was disclosed last week by researchers at McAfee, and in short order, it was learned that criminals had begun using it to spread the Dridex banking malware in spam campaigns. Victims were receiving spam with malicious Word documents that not only exploited the zero-day vulnerability, but were also effective in bypassing most detection and mitigation efforts. When a victim opens the attachment, a script containing PowerShell commands executes and calls out to an attacker-controlled server for the payload.
Since the vulnerability affected all recent versions of Office, it was most attractive to attackers.
“An exploit that allows to execute code through documents for the most recent versions of Office on even the most recent version Windows, is a great resource to have for an attacker,” Guarnieri said. “Particularly, when it comes to espionage, delivering document exploits remains the tactic of choice. Not requiring to use macros or other less reliable techniques, provides a great advantage and likely a much higher success rate.”
Researchers at FireEye today said that CVE-2017-0199 has been used as early as Jan. 25. It was then when attachments promising a Russian Ministry of Defense training manual were first seen spreading FINSPY onto compromised machines. FINSPY, which is sold by FinFisher GmbH, is surveillance software used in espionage campaigns against high-value targets. It’s unknown whether FinFisher, which has numerous government clients, sold the malware used in these attacks or whether they were obtained on a black market forum.
“Given that we don’t know exactly who was behind these attacks, it is hard to say which nation-state it might be in particular, which makes it hard to guess whether this one in particular would recur to underground markets,” Guarnieri said. “I would imagine it could also be the case that the person who sold it might have done that through different channels serving different clients.”
FireEye said the malicious document sent in the attacks downloads the payload and a decoy document from 95[.]141[.]38[.]110. It also said that the version of FINSPY used in these attacks were obfuscated, preventing them from learning any command and control insight.
On March 4, FireEye said, it discovered documents in the wild exploiting the same zero-day but dropping instead LATENTBOT. The researchers said LATENTBOT has only been used in financially motivated cybercrime to date; it has various capabilities that include credential theft, hard drive and data wiping, remote desktop functions and the ability to disable antivirus software. FireEye said the attachments had generic subject lines such as “hire_form,” and “!!!!URGENT!!!!READ!!!,” consistent with cybercrime campaigns.
As of Monday, however, FireEye said the attackers had switched to TERDOT for their payload, a loader that calls out to download a Tor client and then a .onion site for malware.
“Shared artifacts in the FINSPY and LATENTBOT samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source,” FireEye said. “Malicious documents used in both campaigns share a last revision time of: 2016-11-27 22:42:00.”