A critical Microsoft Word zero-day that was actively exploited for months connected two strange bedfellows, including government-sponsored hackers spying on Russian targets and financially motivated crooks pushing crimeware.
That assessment, made Wednesday with “moderate confidence” from researchers at security firm FireEye, is all the more intriguing because the payload delivered to the Russian targets was developed by Gamma Group, the controversial UK-based seller of so-called “lawful intercept” spyware to governments around the world. The company suffered a major setback in 2014 when a hack of its servers exposed more than 40 gigabytes of highly proprietary data showing that its software was used to spy on computers in the United States, Germany, Russia, Iran, and Bahrain. Gamma Group has continued to operate since then, as evidenced by Wednesday’s report showing that its software, known as Finspy, was installed as early as January using what until Tuesday was the zero-day vulnerability in Word.
Adding even more intrigue, the Word exploit used to install Finspy on Russian computers shares some of the same digital fingerprints as an exploit used in March to install crimeware. Known as Latenbot, the malware boasted a variety of capabilities, including credential theft, hard drive and data wiping, security software disabling, and remote desktop functions. The shared artifacts found by FireEye—which are documented in the image at the top of this post—strongly suggest the exploits used by both government spies and criminal hackers originated with the same source. That finding draws a connection between state-sponsored hacking and financially motivated online crime.
One of the booby-trapped Word documents used to infect Russian-speaking targets with Finspy was sent on January 25. It’s a weaponized version of a widely available military manual purportedly published by the Donetsk People’s Republic, a self-proclaimed state in Ukraine that backs Russia and has been deemed a terrorist organization by the Ukrainian government. The exploit downloaded malicious payloads and a decoy document from a server located at the IP address 18.104.22.168. FireEye researchers have yet to identify the targets.
The documents used to install Latenbot also used social engineering to entice a target into opening them. The four files were sent on March 4 and were named hire_form.doc, !!!!URGENT!!!!READ!!!.doc, PDP.doc, and document.doc. All of them used the same command-and-control server located at 22.214.171.124. On Monday, the people behind the attack altered their campaign to deliver a different malware package known as Terdot. It sent a beacon to 126.96.36.199 and then installed software that uses the Tor anonymity service to conceal the identity of the servers it contacted.
Around the same time attackers started exploiting the Word vulnerability to install bank-fraud malware known as Dridex. The campaign continued through Wednesday, one day after Microsoft patched the Word vulnerability. FireEye researchers still aren’t sure what the source was for the exploit that delivered the Dridex payloads. It’s possible, the researchers said, that a vulnerability disclosure provided insight that allowed the attackers to figure out how to exploit the bug, or it’s possible someone with access to the exploit gave it away when it became clear a patch was only a few days away.
It still remains unclear who developed the shared exploit and what connection the person or group had to Gamma Group. Still, the strange bedfellows underscore the often overlooked interconnectedness of software exploits.
“Though only one Finspy user has been observed leveraging this zero-day exploit, the historic scope of Finspy, a capability used by several nation states, suggests other customers had access to it,” FireEye researchers concluded. “Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective—a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere.”