CVE-2017-0199 Used as Zero Day to Distribute FINSPY Espionage Malware and LATENTBOT Cyber Crime Malware

FireEye recently identified a vulnerability – CVE-2017-0199 – that
allows a malicious actor to download and execute a Visual Basic script
containing PowerShell commands when a user opens a Microsoft Office
RTF document containing an embedded exploit. We worked with Microsoft
and published
the technical details of this vulnerability
as soon as a patch
was made available.

In this follow-up post, we discuss some of the campaigns we observed
leveraging the CVE-2017-0199 zero-day in the days, weeks and months
leading up to the patch being released.

CVE-2017-0199 Used by Multiple Actors

FireEye assesses with moderate confidence that CVE-2017-0199 was
leveraged by financially motivated and nation-state actors prior to
its disclosure. Actors leveraging FINSPY and LATENTBOT used the
zero-day as early as January and March, and similarities between their
implementations suggest they obtained exploit code from a shared
source. Recent DRIDEX activity began following a disclosure on April
7, 2017.

FINSPY Malware Used to Target Russian-Speaking Victims

As early as Jan. 25, 2017, lure documents referencing a
Russian Ministry of Defense decree and a manual allegedly published in
the "Donetsk People’s Republic" exploited CVE-2017-0199 to
deliver FINSPY payloads. Though we have not identified the targets,
FINSPY is sold by Gamma Group to multiple nation-state clients, and we
assess with moderate confidence that it was being used along with the
zero-day to carry out cyber espionage.

The malicious document, СПУТНИК РАЗВЕДЧИКА.doc (MD5:
c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely
available military training manual (Figure 1). Notably, this version
purports to have been published in the “Donetsk People’s Republic,”
the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.

The initial malicious document downloaded further payloads,
including malware and a decoy document from 95.141.38.110. This site
was open indexed to allow recovery of additional lure content,
including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which
claims to be a Russian Ministry of Defense decree approving a forest
management plan.

Per a 2015 report
from CitizenLab, Gamma Group licenses their software to clients and
each client uses unique infrastructure, making it likely that the two
documents are being used by a single client.

FINSPY malware is sold by Gamma Group, an Anglo-German “lawful
intercept” company. Gamma Group works on behalf of numerous
nation-state clients, limiting insight into the ultimate sponsor of
the activity. The FINSPY malware was heavily obfuscated, preventing
the extraction of command and control (C2) information.

Figure 1: FINSPY Lure Purporting to be Russian
Military Manual

CVE-2017-0199 Used to Distribute LATENTBOT

As early as March 4, 2017, malicious documents exploiting
CVE-2017-0199 were used to deliver the LATENTBOT
malware
. The malware, which includes credential theft capability,
has thus far only been observed by FireEye iSIGHT Intelligence in
financially motivated threat activity. Additionally, generic lures
used in this most recent campaign are consistent with methods employed
by financially motivated actors.

LATENTBOT is a modular and highly obfuscated type of malware first
discovered by FireEye iSIGHT intelligence in December 2015. It is
capable of a variety of functions, including credential theft, hard
drive and data wiping, disabling security software, and remote desktop
functionality. Recently, we observed LATENTBOT campaigns using
Microsoft Word Intruder (MWI).

The lure documents distributing LATENTBOT malware used generic
social engineering. The documents that were used are shown in Table 1,
and all used 217.12.203.90 as a C2 domain.

File Name

MD5 Hash

hire_form.doc

5ebfd13250dd0408e3de594e419f9e01

!!!!URGENT!!!!READ!!!.doc

1b17ccf5109a9342b59bded31e1ffb18

6e9483edacdc2b6f6ed45c526cf4cf7b

PDP.doc

4a81b6ac8aa0f86719a574d7546d563f

document.doc

65a558e9fe907dc5790e8a592364f64e

Table 1: LATENTBOT Documents

On April 10, the actors altered their infrastructure to deliver
TERDOT payloads instead of LATENTBOT. This TERDOT payload (MD5:
e3b600a59eea9b2ea7a0d4e3c45074da) beacons to
http://185.77.129.103/SBz1efFx/gt45gh.php, then downloads a Tor client
and beacons to sudoofk3wgl2gmxm.onion.

FINSPY and LATENTBOT Samples Share Origin

Shared artifacts in the FINSPY and LATENTBOT samples suggest the
same builder was used to create both, indicating the zero-day exploit
was supplied to both criminal and cyber espionage operations from the
same source.

Malicious documents used in both campaigns share a last revision
time of: 2016-11-27 22:42:00 (Figure 2).

Figure 2: Revision Time Artifact Shared Between
FINSPY and LATENTBOT Samples

DRIDEX Spam Follows Recent Disclosure

Following a disclosure of specifics related to the zero-day on April
7, 2017, the vulnerability was used in DRIDEX spam campaigns, which
continue as of the publication of this blog. We cannot confirm the
mechanism through which the actors obtained the exploit. These actors
may have leveraged knowledge of the vulnerability gained through the
disclosure, or been given access to it when it became clear that
patching was imminent.

A spam wave was sent out on April 10, 2017, leveraging a “Scan Data”
lure. The attached document leveraged CVE-2017-0199 to install DRIDEX
on the victim’s computer.

Outlook and Implications

Though only one FINSPY user has been observed leveraging this
zero-day exploit, the historic scope of FINSPY, a capability used by
several nation states, suggests other customers had access to it.
Additionally, this incident exposes the global nature of cyber threats
and the value of worldwide perspective – a cyber espionage incident
targeting Russians can provide an opportunity to learn about and
interdict crime against English speakers elsewhere.

*** This is a Security Bloggers Network syndicated blog from Threat Research Blog authored by Threat Research Blog. Read the original post at: http://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html