← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
EPS Processing Zero-Days Exploited by Multiple Threat Actors
Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.
At the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently patched vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.
FireEye believes that two actors – Turla and an unknown financially motivated actor – were using the first EPS zero-day (CVE-2017-0261), and APT28 was using the second EPS zero-day (CVE-2017-0262) along with a new Escalation of Privilege (EOP) zero-day (CVE-2017-0263). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East.
Indicators of Compromise (25)
References (7)
↗ https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
↗ https://repo.quicksand.io/ef783cc3c4e1e0649b4629f3396cff4c0e0e0e67c07cacb8a9ae7c0cfa16bf0c.html
↗ https://www.hybrid-analysis.com/sample/6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490?environmentId=100
↗ https://www.hybrid-analysis.com/sample/91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9?environmentId=100
↗ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262
↗ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261
↗ https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/