.NET Zero-Day Flaw Exploited to Deliver FinFisher Spyware

One of the vulnerabilities patched by Microsoft with this month’s security updates is a zero-day flaw exploited by threat actors to deliver FinFisher malware to Russian-speaking individuals.

The vulnerability, reported to Microsoft by researchers at FireEye, is tracked as CVE-2017-8759 and it affects the .NET framework, specifically a SOAP WSDL (Web Services Description Language) parser. An attacker can exploit the security hole for remote code execution by getting the targeted user to open a specially crafted document or application.

In the attacks observed by FireEye, a threat actor exploited the vulnerability via malicious documents that download several components before deploying the final payload – a variant of FinFisher.

FinFisher, also known as FINSPY and WingBird, is a lawful interception tool whose developer claims is only sold to governments. However, researchers discovered on numerous occasions that the spyware has been used by countries that have a bad reputation when it comes to human rights and civil liberties.

In the recent attacks seen by FireEye, a threat actor delivered the spyware via a document named “Проект.doc” (“project” in Russian). The security firm stated, with moderate confidence, that a state-sponsored group launched the attack in an effort to spy on Russian-speaking users.

“[This variant of FinFisher] leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” FireEye researchers said in a blog post. “As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Microsoft has linked the attack to a group it tracks as NEODYMIUM, which last year used a Flash Player zero-day vulnerability to deliver FinFisher.

While Microsoft’s advisory for CVE-2017-8759 contains little information, FireEye’s blog post includes many technical details.

Earlier this year, Kaspersky noticed the FinFisher malware being delivered via a Microsoft Office zero-day (CVE-2017-0199) by a Middle Eastern threat actor named “BlackOasis.” FireEye also spotted attacks exploiting CVE-2017-0199 to deliver FinFisher earlier this year, and the security firm believes CVE-2017-8759 may have also been used by other groups, although currently there is no evidence to support this theory.

Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

Related: Microsoft Patches Zero-Days Exploited by Russia-Linked Hackers