Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/2/2015
03:50 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Malware Author Stamped Code 'For Targeted Attacks Only'

When the Microsoft Word Intruder Office malware creation kit got too high-profile, the developer changed terms of service, Sophos report says.

The author and operator of the "most influential Office malware creation kit today," according to researchers at SophosLabs, has decided to market his wares only to targeted attackers, rather than spammers or others launching broad campaigns. Russian developer "Objekt" has even written it into the terms of service for his Microsoft Word Intruder (MWI) -- an Office malware creation kit used by at least a dozen different cybercrime groups to deliver payloads via malicious documents, often attached to emails.

MWI generates rich text documents that can exploit a variety of vulnerabilities in Word. It delivers payloads through either a dropper -- which embeds executables directly -- or a downloader -- which uses shellcode to download the payload. It uses a polymorphic decryptor and has a module called MWISTAT that keeps track of attack campaigns and infection rates.

Objekt wasn't always choosy about the kinds of attacks MWI was used for. MWI first appeared in May 2013, and Sophos now believes MWI was in wide use by early 2014, when Sophos released a report stating that financially motivated cybercriminals had begun to routinely use malicious documents to deliver malware, a tactic previously popular only with nation-state actors. "Interestingly," states the report, "MWI’s dominance had faded away by the end of 2014, apparently by design."

As security teams' efforts to thwart MWI increased, Objekt's efforts to evade them necessarily increased, until he'd had enough and simply changed his terms and conditions to make sure that his customers only used MWI for small attacks that might more likely go undetected. As the report quotes:

1. Exploit DESIGNED EXCLUSIVELY FOR POINT (“Targeted”, “TARGET”) attacks. INDICATIVE PRICE FOR BUILDER: 140$

2. Exploit THIS DOES NOT QUALIFY FOR SPAM AND MASSIVE ATTACK! FOR THIS WE HAVE A SEPARATE DECISION.

The change did not keep MWI out of the spotlight altogether, though. In April, it was used in the elegant attack that used CareerBuilder as an innocent middle-man. Attackers browsed job listings on CareerBuilder, submitted "resumes" that were actually malicious documents infected with MWI droppers or downloaders. CareerBuilder would then send a notification email to the employer with that malicious document attached, and were highly likely to open it because it was coming from a source they trusted and contained content they had asked to receive.

Sophos found MWI distributing payloads from over 40 different malware families, including info-stealers, banking Trojans, and remote access Trojans. The most common were Zeus/Zbot (25%) and Carberp (18%), a Trojan backdoor that was popular with Carbanak, the infamous billion-dollllar international cybercrime ring.  

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15596
PUBLISHED: 2020-08-12
The ALPS ALPINE touchpad driver before 8.2206.1717.634, as used on various Dell, HP, and Lenovo laptops, allows attackers to conduct Path Disclosure attacks via a "fake" DLL file.
CVE-2020-15868
PUBLISHED: 2020-08-12
Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Incorrect Access Control.
CVE-2020-17362
PUBLISHED: 2020-08-12
search.php in the Nova Lite theme before 1.3.9 for WordPress allows Reflected XSS.
CVE-2020-17449
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS via the error_log file.
CVE-2020-17450
PUBLISHED: 2020-08-12
PHP-Fusion 9.03 allows XSS on the preview page.