FireEye researchers recently discovered a malicious Microsoft Office RTF document using CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. They reported details of the flaw to Microsoft, which issued a patch earlier this week.
CVE-2017-8759 lets an attacker inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Word document in which threat actors used the injection to download and execute a Visual Basic script containing PowerShell commands.
When successfully exploited, the vulnerability downloads several components and launches FINSPY surveillance software. The malware, also reported as FinFisher or WingBird, can be bought as part of a "lawful intercept" capability, referring to functions in telecommunications that let law enforcement wiretap individuals. Analysts say "with moderate confidence" the malicious document was used by a nation-state to target a Russian-speaking victim for cyberespionage.
This marks the second zero-day flaw used to distribute FINSPY that FireEye has discovered this year, which the company says demonstrates the many resources available to "lawful intercept" companies and customers. FINSPY has been sold to several clients, suggesting broader use.
Read more details here.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.