FireEye described the original flaw and has since told Microsoft. The company says it will issued a fix as part of April’s patch Tuesday yesterday. However, it seems some attackers have exploited Microsoft Word prior to the company finding the gap in security. FireEye says one attack allowed attackers to weaponize a Russian military training manual. The document contained malicious content in the form of FinSpy, a surveillance software used by governments. FinSpy was created by a Gamma Group subsidiary. The company builds surveillance monitoring equipment. Over thirty governments are believed to use the software. In its report, FireEye says it is not sure who or what the document was targeting. Although, it was published in the Donetsk People’s Republic, a region of the Ukraine under Russian support. “The initial malicious document downloaded further payloads, including malware and a decoy document from 95.141.38.110. This site was open indexed to allow recovery of additional lure content, including prikaz.doc (MD5: 0F2B7068ABFF00D01CA7E64589E5AFD9), which claims to be a Russian Ministry of Defense decree approving a forest management plan.”

Microsoft Word Flaw

This vulnerability is deployed when an infected Word document is opened. Because the installed malware is stealthy, it is almost impossible for a regular user to detect it. The Microsoft Word document is created to look legitimate and passed through an email. It downloads an infection in the form of a malicious HTML application from a server. This is designed to look like a Rich Text document file. FireEye confirmed the bug affects all versions of Microsoft Word and Office, including Office 2016 and Office 365 for Windows 10.

Microsoft Word Zero Day Used in Ukraine for Cyberespionage - 40Microsoft Word Zero Day Used in Ukraine for Cyberespionage - 82Microsoft Word Zero Day Used in Ukraine for Cyberespionage - 56Microsoft Word Zero Day Used in Ukraine for Cyberespionage - 61Microsoft Word Zero Day Used in Ukraine for Cyberespionage - 7