Murky trade in zero-day malware uncovered as leaks show Hacking Team bought MS Office exploit from security firm Netragard

$50k and up is the asking price for exploits, leaked emails reveal

Hacking Team, the Italian company whose services have been used by repressive regimes to track their citizens, was recently in negotiations to purchase a zero-day exploit for Microsoft Office from US penetration testing firm Netragard leaked documents show.

The company, whose clients include the governments of Kazakhstan, Russia, Ethiopia, Mexico, Guatemala, Sudan, Saudi Arabia, Oman, Uzbekistan, Azerbaijan and Mongolia, was hacked two days ago with 400GB of material dumped online. That material has now been indexed and made searchable by WikiLeaks.

One email thread concerns a zero-day exploit dubbed TOAD, which was created by Netragard.

TOAD exploits a bug described as a "design/logic flaw (auth-bypass / update issues)" and allows remote code execution by attackers.

"Microsoft Office contains a module that is vulnerable to DLL hijacking upon referenced from a crafted WebDAV or SMB share containing an Office file," explains the specifications document in the email.

Microsoft Office 2007, 2010 and 2013 are all vulnerable to the exploit which is delivered via a networked drive. Client operating systems that can be exploited are "Windows XP SP3, Vista SP2, 7 SP1, 8 and 8.1 both 32 and 64 bits", according to the document.

For the exploit to be triggered the target needs to be logged in to Windows and to open an Office document from a WebDAV or SMB share.

The name Netragard appears elsewhere in the leaked documents too. In March 2013 Hacking Team appear to be haggling over the price of another exploit, with Netragard apparently playing hardball insisting:

"Your offer of $50,000.00 to $70,000.00 would be a slap in the face..."

However, Hacking Team appeared to have had an alternative supplier in mind on that occasion:

"To which here's the answer to Netregard .... how is put and the price proposed by them (I had said about 50k dollars) it seems to me just the same as Dustin Trummel. What do you think?" [Translated from the original Italian using Google Translate]

"Dustin Trummel" is revealed elsewhere in the leaked stache to be Dustin D. Trammell, an "entrepreneur and security researcher performing research within the fields of vulnerability exploitation", who recently denied being legendary Bitcoin creator Satoshi Nakamoto.

In a blog post hastily put out following the leaks, Massachusetts-based Netragard seeks to distance itself from Hacking Team and its unsavoury client list - although the blog suggests their relationship only dates back to 2014, rather than March 2013 as detailed by the email exchange above.

"In mid 2014 we modified those controls and made an exception when HackingTeam was introduced to us by a trusted US based partner," the blog states.

"It was our mutual understanding that this buyer maintained the same code of ethics as our own. Unfortunately we were very, very wrong."

Netragard goes on to argue, rather unconvincingly, that the uses put to its malware by Hacking Team show the marketplace for zero-day exploits should be better regulated.