{
	"id": "2e1fd0b5-ea03-4066-b02e-7029afc24c15",
	"created_at": "2026-04-06T00:13:20.154251Z",
	"updated_at": "2026-04-10T03:21:37.224337Z",
	"deleted_at": null,
	"sha1_hash": "d8d9fd44b4963f99e88f01a15212f26a80bc58f2",
	"title": "FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1015580,
	"plain_text": "FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to\r\nDistribute FINSPY | Mandiant\r\nBy Mandiant\r\nPublished: 2017-09-12 · Archived: 2026-04-02 12:12:35 UTC\r\nWritten by: Genwei Jiang, Ben Read, James T. Bennett\r\nFireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP\r\nWSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code\r\nduring the parsing of SOAP WSDL definition contents. Mandiant analyzed a Microsoft Word document where\r\nattackers used the arbitrary code injection to download and execute a Visual Basic script that contained\r\nPowerShell commands.\r\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed\r\nwith the release of a patch to address the vulnerability and security guidance.\r\nFireEye email, endpoint and network products detected the malicious documents.\r\nVulnerability Used to Target Russian Speakers\r\nThe malicious document, “Проект.doc” (MD5: fe5c4d6bb78e170abf5cf3741868ea4c), might have been used to\r\ntarget a Russian speaker. Upon successful exploitation of CVE-2017-8759, the document downloads multiple\r\ncomponents (details follow), and eventually launches a FINSPY payload (MD5:\r\na7b990d5f57b244dd17e9a937a41e7f5).\r\nFINSPY malware, also reported as FinFisher or WingBird, is available for purchase as part of a “lawful intercept”\r\ncapability. Based on this and previous use of FINSPY, we assess with moderate confidence that this malicious\r\ndocument was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes. Additional\r\ndetections by FireEye’s Dynamic Threat Intelligence system indicates that related activity, though potentially for a\r\ndifferent client, might have occurred as early as July 2017.\r\nCVE-2017-8759 WSDL Parser Code Injection\r\nA code injection vulnerability exists in the WSDL parser module within the PrintClientProxy method\r\n(http://referencesource.microsoft.com/ - System.Runtime.Remoting/metadata/wsdlparser.cs,6111). The IsValidUrl\r\ndoes not perform correct validation if provided data that contains a CRLF sequence. This allows an attacker to\r\ninject and execute arbitrary code. A portion of the vulnerable code is shown in Figure 1.\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html\r\nPage 1 of 5\n\nFigure 1: Vulnerable WSDL Parser\r\nWhen multiple address definitions are provided in a SOAP response, the code inserts the\r\n“//base.ConfigureProxy(this.GetType(),” string after the first address, commenting out the remaining addresses.\r\nHowever, if a CRLF sequence is in the additional addresses, the code following the CRLF will not be commented\r\nout. Figure 2 shows that due to lack validation of CRLF, a System.Diagnostics.Process.Start method call is\r\ninjected. The generated code will be compiled by csc.exe of .NET framework, and loaded by the Office\r\nexecutables as a DLL.\r\nFigure 2: SOAP definition VS Generated code\r\nThe In-the-Wild Attacks\r\nThe attacks that FireEye observed in the wild leveraged a Rich Text Format (RTF) document, similar to the CVE-2017-0199 documents we previously reported on. The malicious sampled contained an embedded SOAP monikers\r\nto facilitate exploitation (Figure 3).\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html\r\nPage 2 of 5\n\nThe payload retrieves the malicious SOAP WSDL definition from an attacker-controlled server. The WSDL\r\nparser, implemented in System.Runtime.Remoting.ni.dll of .NET framework, parses the content and generates a\r\n.cs source code at the working directory. The csc.exe of .NET framework then compiles the generated source code\r\ninto a library, namely http[url path].dll. Microsoft Office then loads the library, completing the exploitation stage.\r\nFigure 4 shows an example library loaded as a result of exploitation.\r\nUpon successful exploitation, the injected code creates a new process and leverages mshta.exe to retrieve a HTA\r\nscript named “word.db” from the same server. The HTA script removes the source code, compiled DLL and the\r\nPDB files from disk and then downloads and executes the FINSPY malware named “left.jpg,” which in spite of\r\nthe .jpg extension and “image/jpeg” content-type, is actually an executable. Figure 5 shows the details of the\r\nPCAP of this malware transfer.\r\nThe malware will be placed at %appdata%\\Microsoft\\Windows\\OfficeUpdte-KB[ 6 random numbers ].exe. Figure\r\n6 shows the process create chain under Process Monitor.\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html\r\nPage 3 of 5\n\nFigure 6: Process Created Chain\r\nThe Malware\r\nThe “left.jpg” (md5: a7b990d5f57b244dd17e9a937a41e7f5) is a variant of FINSPY. It leverages heavily\r\nobfuscated code that employs a built-in virtual machine – among other anti-analysis techniques – to make\r\nreversing more difficult. As likely another unique anti-analysis technique, it parses its own full path and searches\r\nfor the string representation of its own MD5 hash. Many resources, such as analysis tools and sandboxes, rename\r\nfiles/samples to their MD5 hash in order to ensure unique filenames. This variant runs with a mutex of\r\n\"WininetStartupMutex0\".\r\nConclusion\r\nCVE-2017-8759 is the second zero-day vulnerability used to distribute FINSPY uncovered by FireEye in 2017.\r\nThese exposures demonstrate the significant resources available to “lawful intercept” companies and their\r\ncustomers. Furthermore, FINSPY has been sold to multiple clients, suggesting the vulnerability was being used\r\nagainst other targets.\r\nIt is possible that CVE-2017-8759 was being used by additional actors. While we have not found evidence of this,\r\nthe zero day being used to distribute FINSPY in April 2017, CVE-2017-0199 was simultaneously being used by a\r\nfinancially motivated actor. If the actors behind FINSPY obtained this vulnerability from the same source used\r\npreviously, it is possible that source sold it to additional actors.\r\nAcknowledgement\r\nThank you to Dhanesh Kizhakkinan, Joseph Reyes, FireEye Labs Team, FireEye FLARE Team and FireEye\r\niSIGHT Intelligence for their contributions to this blog. We also thank everyone from the Microsoft Security\r\nResponse Center (MSRC) who worked with us on this issue.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html\r\nPage 4 of 5\n\nSource: https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"
	],
	"report_names": [
		"zero-day-used-to-distribute-finspy.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434400,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8d9fd44b4963f99e88f01a15212f26a80bc58f2.pdf",
		"text": "https://archive.orkl.eu/d8d9fd44b4963f99e88f01a15212f26a80bc58f2.txt",
		"img": "https://archive.orkl.eu/d8d9fd44b4963f99e88f01a15212f26a80bc58f2.jpg"
	}
}