EtterSilent, a malicious document builder, is gaining traction among cybercriminals on underground forums. Due to its increasing popularity, its authors are continuously improving it to bypass traditional security solutions. Additionally, cybercriminals are using it now more often to increase the success rate of their payload delivery.
What has happened?
Since mid-2020, several ads have been promoting EtterSilent maldoc builder on underground forums. The ads promote its features, such as bypassing Windows Defender, Windows AMSI, and popular email services.
- The seller behind this maldoc builder offers weaponized Microsoft Office (versions 2007 to 2019) documents in two options: with an exploit for a known vulnerability or with malicious macro.
- The macro variant is more popular because of the lower pricing and higher compatibility when compared to the exploit variant.
- An EtterSilent maldoc embedded with macro code can mimic a DigiCert or DocuSign document that asks users to allow support for macros that download their payload in the background.
- One of the leveraged vulnerabilities (tracked as CVE-2017-8570) is remote code execution vulnerability in Microsoft Office. Moreover, two other vulnerabilities (CVE-2017-11882 and CVE-2018-0802) were demonstrated by attackers in a video.
Recent use of the maldoc builder
In a recent campaign, the EtterSilent maldoc was used to drop an updated version of Trickbot. The gang used the same tactic in another campaign to infect systems with BazarBackdoor/ BazarLoader in October 2020.
- During that campaign, along with Trickbot, other maldocs were used to spread several ransomware strains such as Conti, Maze, Ryuk, ProLock, and Egregor.
- In addition, other cybercriminal groups were observed using this maldoc builder, including IcedID, Gozi ISFB, and QakBot.
Conclusion
Malicious services such as EtterSilent indicate that cybercriminals are continually looking for new ways to spread their payloads while staying under the radar. Therefore, organizations and security researchers need to have a proper defense strategy, along with updated knowledge of recent threats and tactics to keep themselves one step ahead in the game.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/35da_shutterstock_1229292619.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock-510575368.jpg)
