Recently patched Microsoft Word exploit was used by both governments and criminal hackers

Researchers believe that the several attackers obtained the exploit from the same, original source.
Written by Zack Whittaker, Contributor

There's a new twist in the recently patched Microsoft Office zero-day that suggests the bug was being used on a larger scale than first thought.

Now, security researchers at FireEye believe that several attackers obtained the exploit from the same, original source.

To recap, the vulnerability -- found in Windows' Object Linking and Embedding (OLE) function -- is triggered when a victim opens a trick Word document, which downloads a malicious HTML application from a server, disguised to look like a Rich Text document file as a decoy. The HTML application meanwhile downloads and runs a malicious script that can be used to stealthily install malware.

As per our previous coverage, it was known that the vulnerability was being actively exploited by at least three separate attackers.

Several research groups say the bug was being exploited as early as January to remotely install a spy program for carrying out espionage created by FinSpy, associated with Germany and UK-based "lawful intercept" firm Gamma Group, which sells almost exclusively to nation state hackers. And, months later in March, the same vulnerability was used to install Latentbot, a bot-like malware family used by financially motivated criminals.

And, just this week, researchers at Proofpoint saw a large-scale email campaign targeting financial institutions with the Dridex banking malware.

FireEye wouldn't speculate on who was behind the attacks or their motives, but the logic suggests that at least in this case, Gamma Group, known to work for various oppressive governments, is obtaining its exploits from the same source as criminal hackers, said the report.

Booby-trapped documents obtained from both campaigns share the exact same "last revision" time, suggesting they were built in tandem.


(Image: FireEye)

"Though only one FinSpy user has been observed leveraging this zero day exploit, the historic scope of FinSpy, a capability used by several nation states, suggests other customers had access to it," the report said.

"Furthermore, given its probable use by financially motivated actors we anticipate other operations have gone uncovered. Lastly, the incorporation of the zero day exploit in Dridex campaigns, in the eleventh hour, prior to patching demonstrates the dangers of disclosure, however accidental," it read.

Microsoft fixed the patch on Tuesday, but some machines waiting to be updated would still be vulnerable.

VIDEO: Microsoft pulls the plug on Windows Vista

Editorial standards