FireEye identified vulnerability CVE-2017-0199 that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. As you may know, they worked with Microsoft and published the technical details of this vulnerability as soon as a patch was made available.
In this follow-up post, some of the observed campaigns leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released are discussed. FireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure. Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following the disclosure on April 7, 2017.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
