Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



.NET Zero-Day Flaw Exploited to Deliver FinFisher Spyware

One of the vulnerabilities patched by Microsoft with this month’s security updates is a zero-day flaw exploited by threat actors to deliver FinFisher malware to Russian-speaking individuals.

One of the vulnerabilities patched by Microsoft with this month’s security updates is a zero-day flaw exploited by threat actors to deliver FinFisher malware to Russian-speaking individuals.

The vulnerability, reported to Microsoft by researchers at FireEye, is tracked as CVE-2017-8759 and it affects the .NET framework, specifically a SOAP WSDL (Web Services Description Language) parser. An attacker can exploit the security hole for remote code execution by getting the targeted user to open a specially crafted document or application.

In the attacks observed by FireEye, a threat actor exploited the vulnerability via malicious documents that download several components before deploying the final payload – a variant of FinFisher.

FinFisher, also known as FINSPY and WingBird, is a lawful interception tool whose developer claims is only sold to governments. However, researchers discovered on numerous occasions that the spyware has been used by countries that have a bad reputation when it comes to human rights and civil liberties.

In the recent attacks seen by FireEye, a threat actor delivered the spyware via a document named “Проект.doc” (“project” in Russian). The security firm stated, with moderate confidence, that a state-sponsored group launched the attack in an effort to spy on Russian-speaking users.

“[This variant of FinFisher] leverages heavily obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make reversing more difficult,” FireEye researchers said in a blog post. “As likely another unique anti-analysis technique, it parses its own full path and searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames.”

Microsoft has linked the attack to a group it tracks as NEODYMIUM, which last year used a Flash Player zero-day vulnerability to deliver FinFisher.

While Microsoft’s advisory for CVE-2017-8759 contains little information, FireEye’s blog post includes many technical details.

Earlier this year, Kaspersky noticed the FinFisher malware being delivered via a Microsoft Office zero-day (CVE-2017-0199) by a Middle Eastern threat actor named “BlackOasis.” FireEye also spotted attacks exploiting CVE-2017-0199 to deliver FinFisher earlier this year, and the security firm believes CVE-2017-8759 may have also been used by other groups, although currently there is no evidence to support this theory.

Related: Microsoft Patches Windows Zero-Day Exploited by Russian Hackers

Related: Microsoft Patches Zero-Days Exploited by Russia-Linked Hackers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.