**September 12, 2017 | by Genwei Jiang, Ben Read, James T. Bennett | Threat Research** **[FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759)** **[SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary](https://msdn.microsoft.com/en-us/library/ms996486.aspx)** **code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document** **where attackers used the arbitrary code injection to download and execute a Visual Basic script that** **contained PowerShell commands.** **FireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure** **[timed with the release of a patch to address the vulnerability and security guidance, which can be found here.](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-8759)** **FireEye email, endpoint and network products detected the malicious documents.** **The malicious document, “Проект.doc” (MD5: fe5c4d6bb78e170abf5cf3741868ea4c), might have been used** **to target a Russian speaker. Upon successful exploitation of CVE-2017-8759, the document downloads** **multiple components (details follow), and eventually launches a FINSPY payload (MD5:** **a7b990d5f57b244dd17e9a937a41e7f5).** **FINSPY malware, also reported as FinFisher or** **[WingBird, is available for purchase as part of a “lawful](http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf)** **[intercept” capability. Based on this and previous use of FINSPY, we assess with moderate confidence that](https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html)** **this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage** **purposes. Additional detections by FireEye’s Dynamic Threat Intelligence system indicates that related** **activity, though potentially for a different client, might have occurred as early as July 2017.** **A code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method** **[(http://referencesource.microsoft.com/ - System.Runtime.Remoting/metadata/wsdlparser.cs,6111). The](http://referencesource.microsoft.com/#System.Runtime.Remoting/metadata/wsdlparser.cs,6111)** **IsValidUrl does not perform correct validation if provided data that contains a CRLF sequence. This allows an** **attacker to inject and execute arbitrary code. A portion of the vulnerable code is shown in Figure 1.** ----- **Figure 1: Vulnerable WSDL Parser** **When multiple address definitions are provided in a SOAP response, the code inserts the** **“//base.ConfigureProxy(this.GetType(),” string after the first address, commenting out the remaining** **addresses. However, if a CRLF sequence is in the additional addresses, the code following the CRLF will not** **be commented out. Figure 2 shows that due to lack validation of CRLF, a System.Diagnostics.Process.Start** **method call is injected. The generated code will be compiled by csc.exe of .NET framework, and loaded by** **the Office executables as a DLL.** **Figure 2: SOAP definition VS Generated code** **The attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the** **[CVE-2017-0199 documents we previously reported on. The malicious sampled contained an embedded](https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html)** **SOAP monikers to facilitate exploitation (Figure 3).** ----- **Figure 3: SOAP Moniker** **The payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL** **parser, implemented in System.Runtime.Remoting.ni.dll of .NET framework, parses the content and** **generates a .cs source code at the working directory. The csc.exe of .NET framework then compiles the** **generated source code into a library, namely http[url path].dll. Microsoft Office then loads the library,** **completing the exploitation stage. Figure 4 shows an example library loaded as a result of exploitation.** **Figure 4: DLL loaded** **Upon successful exploitation, the injected code creates a new process and leverages mshta.exe to retrieve a** **HTA script named “word.db” from the same server. The HTA script removes the source code, compiled DLL** **and the PDB files from disk and then downloads and executes the FINSPY malware named “left.jpg,” which in** **spite of the .jpg extension and “image/jpeg” content-type, is actually an executable. Figure 5 shows the details** **of the PCAP of this malware transfer.** **Figure 5: Live requests** **The malware will be placed at %appdata%\Microsoft\Windows\OfficeUpdte-KB[ 6 random numbers ].exe.** **Figure 6 shows the process create chain under Process Monitor.** ----- **Figure 6: Process Created Chain** **The “left.jpg” (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY. It leverages heavily** **obfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make** **reversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and** **searches for the string representation of its own MD5 hash. Many resources, such as analysis tools and** **sandboxes, rename files/samples to their MD5 hash in order to ensure unique filenames. This variant runs** **with a mutex of "WininetStartupMutex0".** **CVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in** **2017. These exposures demonstrate the significant resources available to “lawful intercept” companies and** **their customers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was** **being used against other targets.** **It is possible that CVE-2017-8759 was being used by additional actors. While we have not found evidence of** **this, the zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being** **used by a financially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same** **source used previously, it is possible that source sold it to additional actors.** **Thank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team, FireEye FLARE Team and FireEye** **iSIGHT Intelligence for their contributions to this blog. We also thank everyone from the Microsoft Security** **Response Center (MSRC) who worked with us on this issue.** **This entry was posted on Tue Sep 12 13:00:00 EDT 2017 and filed under 0-day, Ben Read, Blog, Genwei** **Jiang, James T. Bennett, Latest Blog Posts, Threat Research, and Zero-day Vulnerability.** **Get information and insight on today's advanced threats from the leader in advanced** ----- # Last Name Email Address Company Name **Executive Perspective Blog** **Threat Research Blog** **Products and Services Blog** **Subscribe** **Contact Us** **+1 888-227-2721** **Company** **About FireEye** **Customer Stories** **Careers** **Partners** **[Investor Relations](http://investors.fireeye.com/)** **Supplier Documents** **News & Events** **Newsroom** **Press Releases** **Webinars** **Events** **Blogs** **[Communication Preferences](https://www2.fireeye.com/manage-your-preferences.html)** **Technical Support** **Incident?** **R** **t S** **it I** ----- **[Customer Portal](https://csportal.fireeye.com/secur/login_portal.jsp?orgId=00D3000000063LS&portalId=06030000000pSNE)** **[Communities](https://community.fireeye.com/welcome)** **[Documentation Portal](https://docs.fireeye.com)** **Cyber Threat Map** **Copyright © 2017 FireEye, Inc. All rights reserved.** **Privacy & Cookies Policy | Privacy Shield | Legal Documentation** -----