The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with тАЬ.docтАЭ extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Vulnerable component: Microsoft Office
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-20 - Improper Input Validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it with Microsoft Office or WordPad and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in compromise vulnerable system.
Note: the vulnerability is being actively exploited.
Known APT campaigns:
APT against Central Tibetan Administration (CTA)
CopyKittens targeting Northern Cyprus
In April 2017 CopyKittens has been spreading malicious emails containing a zero-day vulnerability CVE-2017-0199 through a compromised account that belonged to one of the Ministry of Northern Cyprus employee.
BlackTech group is a cyber espionage group mainly targeting companies in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.
The threat group is linked to PLEAD in 2012, Shrouded Crossbow in 2010, and Waterbear cyber operations. To perform attacks BlackTech used a novel right-to-left override (RTLO) technique.
- Microsoft Word - .RTF Remote Code Execution [Exploit-DB]
- Microsoft Office Word - Malicious Hta Execution (Metasploit) [Exploit-DB]
- Microsoft Excel - OLE Arbitrary Code Execution [Exploit-DB]