The zero-day flaw in Microsoft Word and WordPad that allowed attackers to infect systems with malware when users launched a malicious RTF document has been used by governments for cyber espionage, according to a new report from security company Fire Eye.

As we reported earlier this week, Fire Eye is one of the companies that discovered the vulnerability and reported it to Microsoft, warning that attacks were carried out by multiple actors.

Now in a follow-up post, Fire Eye reveals that attacks trying to exploit CVE-2017-0199 were launched by “financially motivated and nation-state” since January, with two malware families associated with exploits, namely FINSPY and LATENTBOT. There’s evidence that all attackers gained the exploit code from the same source, the security firm says.

And here comes the interesting part. Fire Eye notes that the first signs of attacks trying to exploit this Microsoft Office vulnerability were observed in a document referencing a Russian Ministry of Defense decree and other documents related to the so-called “Donetsk People's Republic.” Using the zero-day, attackers attempted to deploy FINSPY on target systems, the security researchers point out.

Patch already available

The document was called СПУТНИК РАЗВЕДЧИКА.doc and is clearly aimed at Russian-speaking victims, shipping as a military training manual that users need to open on their computers to activate the exploit.

The malicious document connects to other servers in an attempt to download further payloads, but also other compromised documents, including a file called prikaz.doc that’s described as a Russian Ministry of Defense decree regarding a forest management plan.

“Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage,” Fire Eye says.

Microsoft has already issued a fix on Patch Tuesday and users are recommended to install it as soon as possible. The zero-day exists in all versions of Microsoft Office and can be exploited on all versions of Windows as well, with WordPad also said to be affected when trying to open compromised RTF documents.