FireEye recently detected a malicious Microsoft Office RTF document
that leveraged CVE-2017-8759,
a SOAP WSDL
parser code injection vulnerability. This vulnerability allows a
malicious actor to inject arbitrary code during the parsing of SOAP
WSDL definition contents. FireEye analyzed a Microsoft Word document
where attackers used the arbitrary code injection to download and
execute a Visual Basic script that contained PowerShell commands.
FireEye shared the details of the vulnerability with Microsoft and
has been coordinating public disclosure timed with the release of a
patch to address the vulnerability and security guidance, which can be
FireEye email, endpoint and network products detected the malicious documents.
Vulnerability Used to Target Russian Speakers
The malicious document, “Проект.doc” (MD5:
fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to target a
Russian speaker. Upon successful exploitation of CVE-2017-8759, the
document downloads multiple components (details follow), and
eventually launches a FINSPY payload (MD5: a7b990d5f57b244dd17e9a937a41e7f5).
FINSPY malware, also reported as FinFisher or WingBird,
is available for purchase as part of a “lawful intercept” capability.
Based on this and previous use of FINSPY,
we assess with moderate confidence that this malicious document was
used by a nation-state to target a Russian-speaking entity for cyber
espionage purposes. Additional detections by FireEye’s Dynamic Threat
Intelligence system indicates that related activity, though
potentially for a different client, might have occurred as early as
CVE-2017-8759 WSDL Parser Code Injection
A code injection vulnerability exists in the WSDL parser module
within the PrintClientProxy method (http://referencesource.microsoft.com/
- System.Runtime.Remoting/metadata/wsdlparser.cs,6111). The
IsValidUrl does not perform correct validation if provided data that
contains a CRLF sequence. This allows an attacker to inject and
execute arbitrary code. A portion of the vulnerable code is shown in
Figure 1: Vulnerable WSDL Parser
When multiple address definitions are provided in a SOAP
response, the code inserts the “//base.ConfigureProxy(this.GetType(),”
string after the first address, commenting out the remaining
addresses. However, if a CRLF sequence is in the additional addresses,
the code following the CRLF will not be commented out. Figure 2 shows
that due to lack validation of CRLF, a
System.Diagnostics.Process.Start method call is injected. The
generated code will be compiled by csc.exe of .NET framework, and
loaded by the Office executables as a DLL.
Figure 2: SOAP definition VS Generated code
The In-the-Wild Attacks
The attacks that FireEye observed in the wild leveraged a Rich Text
Format (RTF) document, similar to the CVE-2017-0199
documents we previously reported on. The malicious sampled contained
an embedded SOAP monikers to facilitate exploitation (Figure 3).
Figure 3: SOAP Moniker
The payload retrieves the malicious SOAP WSDL definition from an
attacker-controlled server. The WSDL parser, implemented in
System.Runtime.Remoting.ni.dll of .NET framework, parses the content
and generates a .cs source code at the working directory. The csc.exe
of .NET framework then compiles the generated source code into a
library, namely http[url path].dll. Microsoft Office then loads the
library, completing the exploitation stage. Figure 4 shows an example
library loaded as a result of exploitation.
Figure 4: DLL loaded
Upon successful exploitation, the injected code creates a new
process and leverages mshta.exe to retrieve a HTA script named
“word.db” from the same server. The HTA script removes the source
code, compiled DLL and the PDB files from disk and then downloads and
executes the FINSPY malware named “left.jpg,” which in spite of the
.jpg extension and “image/jpeg” content-type, is actually an
executable. Figure 5 shows the details of the PCAP of this malware transfer.
Figure 5: Live requests
The malware will be placed at
%appdata%\Microsoft\Windows\OfficeUpdte-KB[ 6 random numbers ].exe.
Figure 6 shows the process create chain under Process Monitor.
Figure 6: Process Created Chain
The “left.jpg” (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant
of FINSPY. It leverages heavily obfuscated code that employs a
built-in virtual machine – among other anti-analysis techniques – to
make reversing more difficult. As likely another unique anti-analysis
technique, it parses its own full path and searches for the string
representation of its own MD5 hash. Many resources, such as analysis
tools and sandboxes, rename files/samples to their MD5 hash in order
to ensure unique filenames. This variant runs with a mutex of "WininetStartupMutex0".
CVE-2017-8759 is the second zero-day vulnerability used to
distribute FINSPY uncovered by FireEye in 2017. These exposures
demonstrate the significant resources available to “lawful intercept”
companies and their customers. Furthermore, FINSPY has been sold to
multiple clients, suggesting the vulnerability was being used against
It is possible that CVE-2017-8759 was being used by additional
actors. While we have not found evidence of this, the zero day being
used to distribute FINSPY in April 2017, CVE-2017-0199 was
simultaneously being used by a financially motivated actor. If the
actors behind FINSPY obtained this vulnerability from the same source
used previously, it is possible that source sold it to additional actors.
Thank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team,
FireEye FLARE Team and FireEye
iSIGHT Intelligence for their contributions to this blog. We
also thank everyone from the Microsoft Security Response Center (MSRC)
who worked with us on this issue.