Published in News

FireEye spot spooks' Microsoft Office hack

by on13 September 2017

Pass the SOAP

FireEye found a malicious Microsoft Office RTF document which has all the hallmarks of being made by the CIA to hack Microsoft Office docs.

The hack used CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.

FireEye passed the details onto to Vole who fixed it and the pair coordinated public disclosure timed with the release of a patch to address the vulnerability and security guidance.

The vulnerability targeted Russian speakers or those who needed to write to Russians to request help in winning a particularly tricky election .

Upon successful exploitation of CVE-2017-8759, the document downloads multiple components (details follow), and eventually launches a FINSPY payload.

But FINSPY malware, also reported as FinFisher or WingBird, is available for purchase as part of a “lawful intercept” capability, in other words by US spooks.

“Based on this and previous use of FINSPY, we assess with moderate confidence that this malicious document was used by a nation-state to target a
Russian-speaking entity for cyber espionage purposes. Additional detections by FireEye’s Dynamic Threat Intelligence system indicates that related activity, though potentially for a different client, might have occurred as early as July 2017”, Fireeye wrote.

The attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the CVE-2017-0199 documents we previously reported on. The malicious sample contained an embedded SOAP monikers to facilitate exploitation.

Upon successful exploitation, the injected code creates a new process and uses mshta.exe to retrieve a HTA script named “word.db” from the same server.

The HTA script removes the source code, compiled DLL and the PDB files from disk and then downloads and executes the FINSPY malware named “left.jpg,” which in spite of the .jpg extension and “image/jpeg” content-type, is actually an executable. Figure 5 shows the details of the PCAP of this malware transfer.

It is possible that CVE-2017-8759 was being used by additional actors. FireEye said that while it had not found evidence of this, the zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being used by a financially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same source used previously, it is possible that source sold it to additional actors.

Last modified on 13 September 2017
Rate this item
(0 votes)

Read more about: