Mass mailing of documents using 0day vulnerability in Word has begun

The espionage campaigns used by Finspy and Latenbot used the same 0day vulnerability in Word, and the documents had the same date and time of the last edition

A few days ago, in the public domain, even before the patch was released, information about the new 0day vulnerability in Word was published (in all versions for all supported operating systems). It was reported that the vulnerability allows you to silently execute arbitrary code on the victim's computer and install malicious software through an RTF document. Briefly described the mechanism of the malware.

The sophisticated nature of the attack and the use of 0day in a popular product hinted that vulnerability was purposefully used against important targets, and the attack itself was carried out by hackers who were close to special services and government agencies. So it happened.

Recall that the first attacks using this 0day in January of the current year. If Office Protected View is disabled in Microsoft Word, then when you open the document, the exploit starts automatically. After this, the winword.exe process makes an HTTP request to the remote server, from where it downloads the HTA file (HTML application), disguised as an RTF document. The HTA file is automatically launched and executes a malicious script.
')


This script closes the original infected Word file, and instead it shows the user a fake text document. The original winword.exe process closes to hide the window that OLE2Link displays from the user.



At the same time, the script downloads additional malicious code from a remote server for installation on a computer. Using the .hta version, the exploit authors effectively bypass all the memory protection measures implemented by Microsoft, as well as anti-virus protection and most other protection methods.

Let's just say the main thing.

First, the vulnerability has already been assigned a number by classifier: CVE-2017-0199 .

Secondly, Microsoft finally released patches for MS Office 2007, 2010, 2010, 2013 and Windows Vista, 7, Server 2008, Server 2012.

Now, FireEye experts have laid out a more detailed technical analysis in two parts ( 1 , 2 ), so that some of the details begin to become clear.

FireEye published information about two documents that attackers used to attack.

FireEye has information that the vulnerability CVE-2017-0199 was used for state espionage. This 0day was used in attacks with the delivery of old known malware Finspy and Latenbot in January and March 2017, and the last Dridex attack began after the disclosure of information about the vulnerability on April 7. But the similarity between the implementation of these three attacks indicates that their organizers received the code from one source, writes FireEye.

The very first of the three attacks was the attack with the delivery of Finspy, first discovered on January 25, 2017. During the attack, a Russian-language document was circulated, allegedly under the authorship of the Ministry of Defense of the Russian Federation and published in the Donetsk People’s Republic. The document is called "Scout Satellite".



When you open the document SPUTNIK SPETNIK.doc (MD5: c10dabb05a38edd8a9a0ddda1c9af10e), an exploit was launched that already downloaded the payload from the IP address 95.141.38.110, including the Finspy trojan. It had universal functionality: searching for documents on a disk, listening to Skype conversations, etc. In addition to the Trojan, a dummy document was downloaded that was shown to the victim instead of the original one.

FireEye was unable to determine the target of the attack, but the company stresses that the Finspy tool was sold by the Gamma Group to customers from different countries. At the same time, almost simultaneously, the 0day-vulnerability was used to spread the Latentbot malware . The organizers of both attacks received the code probably from the same source, as indicated by the same date and time of the last edition of the malicious documents used in both campaigns: 2016-11-27 22:42:00 (see the screenshot at the beginning of the article).

After the information about 0day came into open access, someone started a spam campaign, distributing infected documents in large quantities. In this case, the malware Dridex is installed on the infected computers. The spam campaign continues to the present, so do not be surprised if you receive an email with an attachment in RTF or DOC format (there will still be an RTF document inside).