A zero-day vulnerability in Microsoft Office was exploited by suspected nation state hackers to spread the FinSpy malware. The spyware is disguised as a Rich Text document, which when opened would drop malicious code.
According to researchers at FireEye, who first discovered the vulnerability, unknown attackers – likely state-backed hackers – exploited the bug as early as July. The malware FinSpy has previously been linked to Gamma Group, a Germany-based firm, that conducts legal intercepts of surveillance tools.
The firm is also believed to have sold spyware to international governments and law enforcement agencies.
FireEye researchers said that the attacks exploiting the Office zero-day flaw targeted Russian-speaking users. It is still unclear as to how many users were targeted and whether they had any connections to the Russian government.
"We can confirm that this malware is associated with Gamma Group and is sold to nation state customers for 'lawful intercept' purposes," FireEye told IBTimes UK.
Microsoft has already patched the vulnerability, along with 81 other flaws, as part of its monthly security update. "An attacker who successfully exploited this vulnerability in the software using the .NET framework could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.
"FinSpy malware, also reported as FinFisher or WingBird, is available for purchase as part of a "lawful intercept" capability. Based on this and previous use of FinSpy, we assess with moderate confidence that this malicious document was used by a nation state to target a Russian-speaking entity for cyberespionage purposes," FireEye researchers Genwei Jiang, Ben Read and Tom Bennett said in a blog.
The researchers also said that FinSpy has been sold to "multiple clients" which means that the spyware could have also been used by other threat actors. FireEye added that the FinSpy variant noted in the recent attacks "uses heavily obscured code and a built-in virtual machine to conceal its inner workings."
According to researchers, the zero-day flaw could have been used by "additional actors." In other words, more than one hacking group may have used both FinSpy and the vulnerability to attack other targets.
"The zero-day being used to distribute FinSpy in April 2017, CVE-2017-0199 was simultaneously being used by a financially-motivated actor. If the actors behind FinSpy obtained this vulnerability from the same source used previously, it is possible that source sold it to additional actors," researchers said.