The dark reality of cyberspace: the case of CVE-2017-0199


Threat actors do not exist in a cyber vacuum. Hackers, organised criminal gangs, and nation states all operate within the same cyberspace and have access to the same systems and vulnerabilities. Whilst the tactics, techniques and procedures (TTPs) vary between different threat actor categories (in  terms of method, capability and sophistication), the infection vectors they target remain the same.

The recent case of CVE-2017-0199 is a good illustration of how the same 0-day exploits can attract a breadth of engagement from both cyber criminals and nations state actors, and the implications this has around legitimacy and control over known vulnerabilities.

In 2017, FireEye identified a previously undisclosed 0-day vulnerability in Microsoft Word that allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a Microsoft Office Rich Text Format (.RTF) document containing an embedded exploit.

Possible Attack Scenario

The possible stages of an attack leveraging the Microsoft 0-day are as follows:

  • The threat actor emails a ‘.doc’ document to the victim with an embedded OLE2 (Object Linking and Embedding) embedded link object.
  • When the user opens the document, ‘winword.exe’ issues an HTTP request to a remote server to retrieve a malicious HTML Application file.
  • The file returned by the C2 server is a fake RTF file with an embedded malicious script.
  • exe looks up the file handler for application/hta through a COM object, which causes ‘mshta.exe’ to execute and load the malicious script.
  • The malicious scripts then terminate the ‘winword.exe’ process, download additional payloads, and load decoy documents.

FINSPY Cyber Espionage Malware

In January 2017, a FINSPY module was discovered exploiting the Microsoft 0-day. FINSPY is the name of a cyber espionage tool developed and sold by the Gamma Group, an Anglo-German company which is known to sell spyware to nation state actors across the world. The company allegedly suffered a breach in 2014 when one of its servers was hacked and more than 40 GB of proprietary data was exposed, the contents of which indicated that their software has been used by US, Germany, Russia, Iran, and Bahrain.

This particular FINSPY campaign targeted Russian-speaking users with weaponised Word documents referencing a Russian Ministry of Defense decree. The malicious documents would eventually install FINSPY on the victims’ computers.

LATENTBOT Cyber Crime Malware

Two months after the FinSpy campaign, the same Microsoft 0-day has been used to deliver the LATENTBOT malware – a sophisticated backdoor used by financially motivated cyber criminals. LATENTBOT is a modular and highly obfuscated type of malware first discovered in December 2015. Its capabilities included credential theft, hard drive and data wiping, the disabling of security software, and remote desktop functionality. More recently, the malware has also been seen using Microsoft Word Intruder (MWI).

The threat actors distributing LATENTBOT used generic social engineering techniques to lure the victims.

DRIDEX spam campaigns

Following the disclosure of the 0-day in January, the Microsoft vulnerability has also been used in DRIDEX spam campaigns. DRIDEX, also known as Bugat, Feodo and Cridex, is a banking trojan with credential-stealing capabilities which infects systems that enable malicious Office macros. DRIDEX is owned and operated by the Business Club, a Russian organised criminal group.

In this spam campaign, the attackers used a ‘Scan Data’ lure, which leveraged CVE-2017-0199 to install the banking trojan on the victims’ computers.

It is not known how the threat actors obtained the exploit.


What this case illustrates is that nation states and organised criminal groups may use the same ‘suppliers’ when it comes to exploits. This is the dark reality of cyberspace that no one is comfortable talking about. These ‘suppliers’ may be legitimate software companies, cyber security vendors, or underground forums where information is being leaked and traded by unauthorised means.

Stockpiling on exploits and vulnerabilities by governments is another issue with potentially devastating consequences. The recent examples of WannaCry and NotPetya exploiting NSA’s EternalBlue illustrate the widespread damage caused when exploits in the hands of nation state actors leak into the public domain.

The NSA, like any other nation state actor, works to develop 0-day exploits that some software developers tacitly approve of, whilst in other instances are completely unaware of. When these exploits, however, fall into the hands of cyber criminals who repurpose them to advance their own goals and objectives, then there is a problem. Imagine an equivalent scenario where a conventional US military weapon falls into the hands of terrorists, for instance. It’s clear that the potential consequences are almost certain to be devastating for the civilian population.

The difference between the two examples is that different rules apply in the physical world. Perhaps, it is time to revisit the Geneva Convention. The above cases necessitate a comprehensive response – perhaps the creation of a Digital Geneva Convention requiring governments to report exploits to vendors rather than stockpiling or selling , could be a step in the right direction.

Find out more about our cyber intelligence services

Subscribe to receive free updates

If you'd like to be kept updated on our blog, why not subscribe?

We will never give away, trade or sell your email address. You can unsubscribe at any time.