CVE-2017-0199 Zero Day exploit used to deliver FINSPY spyware

Pierluigi Paganini April 13, 2017

Security researchers at FireEye discovered that the Microsoft Word CVE-2017-0199 exploit was linked to cyberspying in Ukraine conflict.

The zero-day vulnerability in Microsoft Office that was recently fixed by Microsoft was used to deliver a surveillance malware to Russian-speaking targets.

Security experts from firm FireEye spotted the targeted attacks leveraging specifically crafted Microsoft Word documents that pretend to be a Russian military training manual.


When the victim opened the document, the attacks starts and a the surveillance malware FinSpy is delivered, the malware is developed by a subsidiary of Gamma Group. Officially the software would be offered for sale only to Government agencies and law enforcement bodies, but privacy advocate speculate the spyware of also sold to authoritarian regime.

“FireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure.” reads the analysis published by FireEye. “Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following a disclosure on April 7, 2017.”

The experts are still investigating who is the final target of the attacks, however, the decoy document appears to have been published in the Donetsk People’s Republic, a breakaway region in Ukraine that’s received Russian support.

“As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the “Donetsk People’s Republic” exploited CVE-2017-0199 to deliver FINSPY payloads. Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.” continues FireEye.

“The malicious document, СПУТНИК РАЗВЕДЧИКА.doc (MD5: c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely available military training manual (Figure 1). Notably, this version purports to have been published in the “Donetsk People’s Republic,” the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.”

The weaponized Russian training manual can download additional payloads along with another fake document claiming to be a Russian decree approving a forest management plan.

FireEye experts suspect a non-state actor may have hacked targets operating like government operators using the FinSpy software.

It is also possible that the zero-day exploit circulated in the cyber criminal underground, in March, a separate attack triggering the same flaw was spotted by the experts.

“As early as March 4, 2017, malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware. The malware, which includes credential theft capability, has thus far only been observed by FireEye iSIGHT Intelligence in financially motivated threat activity. Additionally, generic lures used in this most recent campaign are consistent with methods employed by financially motivated actors.” adds FireEye.

Likely different hacking groups may have obtained the zero-day knowledge from the same source.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  Windows zero-day attacks, CVE-2017-0199)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment