Government hackers were using a previously-unknown vulnerability in Microsoft's .NET Framework, a development platform for building apps, to hack targets and infect them with spyware, according to security firm FireEye.
The firm revealed the espionage campaign on Tuesday, on the same day Microsoft patched the vulnerability. According to FireEye, the bug, which until today was a zero-day, was being used by a customer of FinFisher, a company that sells surveillance and hacking technologies to governments around the world.
The hackers sent a malicious Word RTF document called "Проект.doc" to a "Russian speaker," according to Ben Read, FireEye's manager of cyber espionage research. Read said FireEye doesn't know who the hackers are, other than the fact that they are presumably FinFisher customers.
The document was programmed to take advantage of the recently-patched vulnerability to install FinSpy, spyware designed by FinFisher. The spyware masqueraded as an image file called "left.jpg," according to FireEye.
This is the second time in the last six months that security researchers catch an ongoing espionage operation that uses FinFisher malware and exploits. In April, FireEye and independent security researcher Claudio Guarnieri found that unknown government hackers were using a Microsoft Word zero-day to install FinFisher spyware on Russian victims.
"[This] shows that the company behind FinSpy has significant financial resources," Read told Motherboard in a phone call. "These types of vulnerabilities aren't cheap to obtain, whether you're buying them on the underground market or developing them in house. It shows that basically they got some cash to play with and that they have a healthy customer base willing to pay them to use the vulnerabilities."
FinFisher did not immediately respond to a request for comment.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Get six of our favorite Motherboard stories every day by signing up for our newsletter.