New Microsoft Word zero-day used to spread ‘lawful intercept’ malware, analysts say
A well-funded spy group appears to have acquired a highly sophisticated zero-day vulnerability and used it to deploy a remote access trojan against a Russian-speaking “entity,” according to evidence discovered by U.S. cybersecurity firm FireEye.
Researchers with FireEye found the disruptive software vulnerability, which affects recent versions of Microsoft Word, in July. The trojan, known as FinSpy, is made by infamous surveillance technology firm FinFisher, a blog post by FireEye states.
The Microsoft Word flaw remained unpatched until Tuesday afternoon, when Microsoft issued its monthly security update. This vulnerability, labeled CVE-2017-8759, was used as recently as late August to hack into systems, FireEye analyst Ben Read told CyberScoop.
Analysts originally uncovered CVE-2017-8759 while examining a highly targeted phishing email that was written in Russian. The email contained an attachment that when opened exploited a software flaw in the word processor to remotely download FinSpy from a computer server controlled by the attacker. In this case, the valuable vulnerability was being leveraged to infect computers with a piece of FinFisher software that would remain hidden while collecting information, including activity logs, emails, login credentials and other communications.
“We assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes,” the FireEye blog post says.
The simultaneously use of FinFisher’s remote access trojan with the previously undisclosed Microsoft Word vulnerability suggests that the controversial German technology firm, otherwise known as Gamma Group or Lench IT Solutions, may be behind both products, according to Read.
“This shows that business is going well for FinFisher, as it’s clear that people are buying these expensive zero-days and obviously using them,” Read told CyberScoop.
The is no evidence to suggest that this variant of FinSpy reviewed by FireEye had been sold or shared by any other party aside from FinFisher prior to the discovery of CVE-2017-8759. Read said he could assess “with high confidence” that the remote access trojan his team discovered was developed by FinFisher.
The use of FinSpy in tandem with new zero-days, like the CVE-2017-8759 vulnerability, represents FinFisher ability to continuously discover significant software vulnerabilities for its clients. In the past, those clients have included governments, law enforcement and intelligence agencies.
The findings published Tuesday represent the second time in recent months that FireEye has discovered a hacker using a rare zero-day vulnerability to deploy FinFisher malware. In the first incident, the attack also used a phishing email written in Russian. The April activity was believed to be financially motivated. It’s unclear whether these two cases are in any way related or if they were independently launched for differing reasons, Read said.