The author and operator of the "most influential Office malware creation kit today," according to researchers at SophosLabs, has decided to market his wares only to targeted attackers, rather than spammers or others launching broad campaigns. Russian developer "Objekt" has even written it into the terms of service for his Microsoft Word Intruder (MWI) -- an Office malware creation kit used by at least a dozen different cybercrime groups to deliver payloads via malicious documents, often attached to emails.
MWI generates rich text documents that can exploit a variety of vulnerabilities in Word. It delivers payloads through either a dropper -- which embeds executables directly -- or a downloader -- which uses shellcode to download the payload. It uses a polymorphic decryptor and has a module called MWISTAT that keeps track of attack campaigns and infection rates.
Objekt wasn't always choosy about the kinds of attacks MWI was used for. MWI first appeared in May 2013, and Sophos now believes MWI was in wide use by early 2014, when Sophos released a report stating that financially motivated cybercriminals had begun to routinely use malicious documents to deliver malware, a tactic previously popular only with nation-state actors. "Interestingly," states the report, "MWI’s dominance had faded away by the end of 2014, apparently by design."
As security teams' efforts to thwart MWI increased, Objekt's efforts to evade them necessarily increased, until he'd had enough and simply changed his terms and conditions to make sure that his customers only used MWI for small attacks that might more likely go undetected. As the report quotes:
1. Exploit DESIGNED EXCLUSIVELY FOR POINT (“Targeted”, “TARGET”) attacks. INDICATIVE PRICE FOR BUILDER: 140$
2. Exploit THIS DOES NOT QUALIFY FOR SPAM AND MASSIVE ATTACK! FOR THIS WE HAVE A SEPARATE DECISION.
The change did not keep MWI out of the spotlight altogether, though. In April, it was used in the elegant attack that used CareerBuilder as an innocent middle-man. Attackers browsed job listings on CareerBuilder, submitted "resumes" that were actually malicious documents infected with MWI droppers or downloaders. CareerBuilder would then send a notification email to the employer with that malicious document attached, and were highly likely to open it because it was coming from a source they trusted and contained content they had asked to receive.
Sophos found MWI distributing payloads from over 40 different malware families, including info-stealers, banking Trojans, and remote access Trojans. The most common were Zeus/Zbot (25%) and Carberp (18%), a Trojan backdoor that was popular with Carbanak, the infamous billion-dollllar international cybercrime ring.