Recently we reported about a critical code execution vulnerability in Microsoft Word that was being exploited in the wild by cyber criminal groups to distribute malware like Dridex banking trojans and Latentbot.
Now, it turns out that the same previously undisclosed vulnerability in Word (CVE-2017-0199) was also actively being exploited by the government-sponsored hackers to spy on Russian targets since at least this January.
The news comes after security firm FireEye, that independently discovered this flaw last month, published a blog post, revealing that FinSpy spyware was installed as early as January using the same vulnerability in Word that was patched on Tuesday by Microsoft.
For those unaware, the vulnerability (CVE-2017-0199) is a code execution flaw in Word that could allow an attacker to take over a fully patched and up to date computer when the victim opens a Word document containing a booby-trapped OLE2link object, which downloads a malicious HTML app from a server, disguised as a document created in Microsoft's RTF (Rich Text Format).
FinSpy or FinFisher is associated with the controversial UK-based firm Gamma Group, which sells so-called "lawful intercept" spyware to governments around the world.
> "Though only one Finspy user has been observed leveraging this zero-day exploit, the historical scope of Finspy, a capability used by several nation-states, suggests other customers had access to it," FireEye researchers said.
"Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective—a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere."
Months later in March, the same then-zero-day vulnerability was used to install Latentbot, a bot-like, information-stealing and remote-access malware package used by financially motivated criminals.
Latentbot has several malicious capabilities including credential theft, remote desktop functions, hard drive and data wiping, and the ability to disable antivirus software.
> FireEye said criminals used social engineering to trick victims into opening the attachments with generic subject lines like "hire_form.doc", "!!!!URGENT!!!!READ!!!.doc", "PDP.doc", and "document.doc".
However, on Monday, the criminals behind the attack modified their campaign to deliver a different malware package called Terdot, which then installed software that uses the TOR anonymity service to hide the identity of the servers it contacted with.
According to FireEye researchers, the MS Word exploit used to install Finspy on Russian computers by government spies and the one used in March to install Latentbot by criminal hackers was obtained from the same source.
This finding highlights that someone who initially discovered this zero-day vulnerability sold it to many actors, including the commercial companies who deals in buying and selling of zero-day exploits as well as financially motivated online criminals.
Also, just Monday evening, Proofpoint researchers too discovered a massive campaign of spam email targeting millions of users across financial institutions in Australia with the Dridex banking malware, again, by exploiting the same vulnerability in Word.
FireEye researchers are still not sure of the source for the exploit that delivered the Dridex banking trojan, but it is possible that the vulnerability disclosure by McAfee last week provided insight that helped Dridex operators use the flaw, or that someone with access to the Word exploit gave it to them.
Microsoft patched the MS Word vulnerability on Tuesday, which hackers, as well as government spies, had been exploiting it for months. So, users are strongly advised to install updates as soon as possible to protect themselves against the ongoing attacks.