FireEye identified vulnerability CVE-2017-0199 that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office RTF document containing an embedded exploit. As you may know, they worked with Microsoft and published the technical details of this vulnerability as soon as a patch was made available.
In this follow-up post, some of the observed campaigns leveraging the CVE-2017-0199 zero-day in the days, weeks and months leading up to the patch being released are discussed. FireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure. Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following the disclosure on April 7, 2017.