Yesterday, FireEye published a blog post about a new zero-day vulnerability, CVE-2017-8759, in Microsoft's .NET Framework that allows attackers to execute code remotely via a malicious document or application. The only confirmed malicious activity involving this exploit appeared to target a Russian speaking audience with FinSpy malware.
There appear to be a couple of Microsoft RTF documents leveraging CVE-2017-8759 discussed in open source:
- 0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684 - This is the file mentioned in FireEye's post and so is confirmed malicious. It retrieves files from 91.219.236[.]207
- c336ff08680491c4e918cfa4abf93c2a7d3faa779468a0e35189e02139709564 - This one looks like an altered version of the one above as it has the same decoy. It calls out to the domain aemmm0[.]com which redirects to FireEye's blog post. It's possible this was someone testing a new version of the known malicious file.
As we mentioned in a tweet yesterday FireEye's blog notes similarities between CVE-2017-8759 and CVE-2017-0199 which numerous bad actors have assimilated into their operations since its public disclosure. First, the first known in-the-wild use of both exploits was used to target Russian speaking audiences with FinSpy malware. In addition, the exploit/malware installation chains are similar. While CVE-2017-0199 is a vulnerability in Microsoft Office and CVE-2017-8759 is in the .NET Framework where Office documents are likely to be delivery vectors, both appear to primarily make use of scripts (specifically, HTA scripts) early in the chain in order to download the final payloads.
Given these similarities, it is entirely possible that CVE-2017-8759 will proliferate among bad actors. Within a matter of days, maybe a matter of hours, of CVE-2017-0199's public disclosure multiple criminal and cyber espionage actors started to leverage the exploit in their operations. There's already a GitHub page up incorporating the exploit code into a macro-enabled Word document. Given the nature of this new exploit it could be incorporated into any kind of Office document and possibly into other delivery vehicles as well.