An unknown group of government hackers used the recently discovered vulnerability in Microsoft Word to target Russian victims with booby-trapped documents.
The hackers leveraged a military manual written in Russian, a document referencing the Russian Ministry of Defense, as well as a document that promised to reveal the "top 7 hot hacker chicks" to lure victims into opening the .doc attachments. If the targets fell for it, they'd get hacked thanks to the Microsoft Word zero-day and infected with FinSpy, spyware made by the infamous surveillance technology firm FinFisher.
Security researchers working at FireEye, as well as Claudio Guarnieri, a malware hunter and senior technologist at Amnesty International, spotted these operations in the wild. The hackers, whoever they were, left a series of booby-trapped documents on a server with an Italian IP address.
The company that was hosting the files online, called SeFlow, declined to provide any information on the server for privacy reasons.
FireEye found that multiple actors, both working for a government and apparent cybercriminals are leveraging the same exploit, indicating that the groups perhaps got the exploit from the same source.
"It's very possible that wherever this zero-day came from it could have been sold to both nation-state end users and criminals," John Hultquist, an analyst at FireEye, told Motherboard in a phone call.
Guarnieri said that "it's hard to say" who was behind these operations or who was targeted, but it looks like that someone is "selling the exploit both on the black market and to FinFisher or to some of its customers."
The researcher said that in the last few months he has found several different samples of FinFisher, dating back to end of 2015 and beginning of 2016. One of them was used in Turkmenistan, one in Hungary, and some Russia.
The ones used in Russia were exploiting the Microsoft Word zero-day and were hosted on an Italian server, Guarnieri told me. Some of the malware sample used in Russia, such as this one, can be fund on the online malware repository Virus Total. According to the site, that particular sample was first uploaded from Russia on January 25, 2017.
The FinFisher samples that were using the Word zero-day were connecting to a command and control server with a Romanian IP address associated with a German company, according to Morgan Marquis-Boire, a security researcher that helped Guarnieri analyze the samples.
FinFisher is one of many companies that sell hacking and spying technologies to governments around the world, such as Hacking Team, Wolf Intelligence, or Aglaya. The company got hacked in 2014 by Phineas Fisher. But despite the embarrassing and damaging hack, the company bounced back and was apparently operating in 32 countries as the end of 2015.
At the same time as government hackers leveraged the zero-day for espionage, criminals were using it to spread malware known as LATENTBOT, which can steal credentials or wipe the hard drive of the victim, according to FireEye, which published a blog post detailing its findings on Wednesday.
The criminal hackers also used documents to lure targets, but they were less sophisticated than their government counterparts, at least judging by their filenames, such as "!!!!URGENT!!!!READ!!!.doc."
So, according to FireEye, this powerful zero-day exploits was being used by both spies and criminals.
"We're dealing with an ecosystem here, it's not just a cyberespionage problem or just a cybercrime problem," Hultquist said. "A lot of these actors' and capabilities move between these worlds."
Microsoft patched the vulnerability on Tuesday, but clearly, hackers had been exploiting it for months.
This post has been updated to add more details about the Russian FinFisher malware samples.
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.