To recap, the vulnerability -- found in Windows' Object Linking and Embedding (OLE) function -- is triggered when a victim opens a trick Word document, which downloads a malicious HTML application from a server, disguised to look like a Rich Text document file as a decoy. The HTML application meanwhile downloads and runs a malicious script that can be used to stealthily install malware.
As per our previous coverage, it was known that the vulnerability was being actively exploited by at least three separate attackers.
Several research groups say the bug was being exploited as early as January to remotely install a spy program for carrying out espionage created by FinSpy, associated with Germany and UK-based "lawful intercept" firm Gamma Group, which sells almost exclusively to nation state hackers. And, months later in March, the same vulnerability was used to install Latentbot, a bot-like malware family used by financially motivated criminals.
FireEye wouldn't speculate on who was behind the attacks or their motives, but the logic suggests that at least in this case, Gamma Group, known to work for various oppressive governments, is obtaining its exploits from the same source as criminal hackers, said the report.
Booby-trapped documents obtained from both campaigns share the exact same "last revision" time, suggesting they were built in tandem.
"Though only one FinSpy user has been observed leveraging this zero day exploit, the historic scope of FinSpy, a capability used by several nation states, suggests other customers had access to it," the report said.
"Furthermore, given its probable use by financially motivated actors we anticipate other operations have gone uncovered. Lastly, the incorporation of the zero day exploit in Dridex campaigns, in the eleventh hour, prior to patching demonstrates the dangers of disclosure, however accidental," it read.
Microsoft fixed the patch on Tuesday, but some machines waiting to be updated would still be vulnerable.