Finspy spyware was installed as early as January using the same vulnerability in Word that was patched on Tuesday by Microsoft. The same vulnerability (CVE-2017-0199) was used to install Latentbot, a bot-like, information-stealing and remote-access malware package used by financially motivated criminals. The vulnerability was discovered by FireEye researchers who independently discovered this flaw last month. It is possible that the source for the exploit that delivered the Dridex banking trojan, or that someone with access to the Word exploit gave it to them.
Source: https://thehackernews.com/2017/04/microsoft-word-zeroday.html