FireEye recently identified a vulnerability – CVE-2017-0199 – that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. We worked with Microsoft and published the technical details of this vulnerability as soon as a patch was made available.
In this follow-up post, we discuss some of the campaigns we observed leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released.
CVE-2017-0199 used by multiple actors
FireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure. Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following a disclosure on April 7, 2017.
FINSPY malware used to target russian-speaking victims
As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads. Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.
The malicious document, СПУТНИК РАЗВЕДЧИКА.doc (MD5: c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely available military training manual. Notably, this version purports to have been published in the “Donetsk People's Republic,” the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.
The initial malicious document downloaded further payloads, including malware and a decoy document from 22.214.171.124. This site was open indexed to allow recovery of additional lure content, including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which claims to be a Russian Ministry of Defense decree approving a forest management plan.
Per a 2015 report from CitizenLab, Gamma Group licenses their software to clients and each client uses unique infrastructure, making it likely that the two documents are being used by a single client.
FINSPY malware is sold by Gamma Group, an Anglo-German “lawful intercept” company. Gamma Group works on behalf of numerous nation-state clients, limiting insight into the ultimate sponsor of the activity. The FINSPY malware was heavily obfuscated, preventing the extraction of command and control (C2) information.
CVE-2017-0199 used to distribute LATENTBOT
As early as March 4, 2017, malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware. The malware, which includes credential theft capability, has thus far only been observed by FireEye iSIGHT Intelligence in financially motivated threat activity. Additionally, generic lures used in this most recent campaign are consistent with methods employed by financially motivated actors.
LATENTBOT is a modular and highly obfuscated type of malware first discovered by FireEye iSIGHT intelligence in December 2015. It is capable of a variety of functions, including credential theft, hard drive and data wiping, disabling security software, and remote desktop functionality. Recently, we observed LATENTBOT campaigns using Microsoft Word Intruder (MWI).
The lure documents distributing LATENTBOT malware used generic social engineering. The documents that were used are shown in Table 1, and all used 126.96.36.199 as a C2 domain.
On April 10, the actors altered their infrastructure to deliver TERDOT payloads instead of LATENTBOT. This TERDOT payload (MD5: e3b600a59eea9b2ea7a0d4e3c45074da) beacons to http://188.8.131.52/SBz1efFx/gt45gh.php, then downloads a Tor client and beacons to sudoofk3wgl2gmxm.onion.
FINSPY and LATENTBOT samples share origin
Shared artifacts in the FINSPY and LATENTBOT samples suggest the same builder was used to create both, indicating the zero-day exploit was supplied to both criminal and cyber espionage operations from the same source.
Malicious documents used in both campaigns share a last revision time of: 2016-11-27 22:42:00 (Figure 2).
DRIDEX spam follows recent disclosure
Following a disclosure of specifics related to the zero-day on April 7, 2017, the vulnerability was used in DRIDEX spam campaigns, which continue as of the publication of this blog. We cannot confirm the mechanism through which the actors obtained the exploit. These actors may have leveraged knowledge of the vulnerability gained through the disclosure, or been given access to it when it became clear that patching was imminent.
A spam wave was sent out on April 10, 2017, leveraging a “Scan Data” lure. The attached document leveraged CVE-2017-0199 to install DRIDEX on the victim’s computer.
Outlook and implications
Though only one FINSPY user has been observed leveraging this zero-day exploit, the historic scope of FINSPY, a capability used by several nation states, suggests other customers had access to it. Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective – a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere.
Article by Ben Read and Jonathan Leathery, FireEye Threat Research.