The buzz around a new maldoc builder that’s quickly becoming the favorite of cybercriminals mirrors the behavior around other popular products in a legitimate marketplace – that could be good news for defenders.
Just like buyers who line up to buy the latest athlete-endorsed sneakers, threat actors hankering for EtterSilent “rush to obtain it and find unique ways to use it in order to fit their needs,” researchers at Intel 471 who discovered the malicious document builders wrote in a Tuesday blog post.
“Similar to any market, the cybercrime underground has people who specialize in particular attacks or services,” said Intel 471 CISO Brandon Hoffman. “Suppliers specialize based on their unique skill set. It takes a full supply chain for attacks to be successful and profitable. As the consumers of these products and services change and adapt their strategies, so too must the suppliers.”
EtterSilent is a Hot Commodity
As EtterSilent’s popularity has grown since it first hit the scene in June 2020, “it has been constantly updated” to avoid detection, the researchers said. “Used in conjunction with other forms of malware, it’s a prime example of how ease of use and a concentration of skill sets leads to a commoditization of the cybercrime economy,” they explained.
The maldoc builder was first seen advertised on a Russian cybercrime forum, where researchers said the seller served up two different types of weaponized Microsoft Office docs. One version exploited CVE-2017-8570, a known Office vulnerability, while the other used a malicious macro. The latter appears more popular, perhaps because lower pricing and higher compatibility makes it more attractive than the Office exploit.
The macro also has a higher chance of broad success, said Hoffman, “because a vulnerability is easily patched, but macro use has to be removed by policy enforcement and, in certain legacy cases, cannot be controlled holistically by IT.”
The vulnerability, though, is easy to exploit and “coupled with many organizations’ use of legacy Office versions, makes it attractive” as well, he said.
Once the malicious document is opened, it reveals what appears to be a DocuSign template with Excel 4.0 macros stored in a hidden sheet. By leveraging the macros, an externally hosted payload can be downloaded and written to disk. It’s executed using regsvr32 or rundll32. Then attackers are free to drop a variety of malware, like Trickbot, which was used in a recent spam campaign where the maldoc was attached in an email that pretended to be from a well-known multinational appliance manufacturer, claiming to be a payment invoice.
Late last month, researchers also spotted EtterSilent used in a Bazar loader campaign. This time, the maldoc analyzed by Intel 471 researchers showed a main Excel sheet named “DocuSign®,” rather than a DocuSign template, that downloaded a Bazar payload that then connected to another URL, which downloaded a Bazar backdoor. Intel 471 found that EtterSilent was used by the BokBot, Gozi ISFB and QBot campaigns. Those campaigns, though, use the services of bulletproof hosting (BPH) provider Yalishanda. One BokBot-related initiative “had numerous distribution URLs embedded in the EtterSilent maldocs,” all of which “resolved to one particular IP address” tied to Yalishanda, the researchers wrote.
Ties to BPH Providers
It’s not surprising that the initiatives made use of the popular Yalishanda – BPH providers are frequent partners-in-crime with cyberattackers. BPH has worked “hand-in-glove with cybercrime for decades,” the Intel 471 researchers wrote, “supplying criminals with the infrastructure they need” to underpin their crimes.
Defenders haven’t focused on bulletproof hosting from their side, even though it “remains a critical component to much of the cybercrime activity,” said Hoffman. But rather than focus automated and semi-automated defense mechanisms on single indicators/IP addresses, he explained, “understanding bulletproof hosting allows security personnel to proactively defend against a variety of active and pending attacks.”
BPHs’ services are similar to those of any legitimate hosting service. “They manage bulk IP blocks and registrations for domains that are relatively easily identified and open source, to a degree,” said Hoffman.
The IP blocks and domains, however, are used in different stages of attacks and “if known, provide an easy opportunity for disruption,” he said.
While an examination of malware yields many clues to help cybersecurity pros defend against and mitigate threats, defenders trying to get a bead on which threats are most relevant to their organizations also might gain a better understanding from how the cybercrime economy works as well as the major players, the researchers said. EtterSilent is just one example among many of commoditization in the cybercrime economy and how various players work in tandem, leveraging multiple products.
“Understanding the cybercrime supply chain provides insight into how the different pieces are put together to consummate an attack,” Hoffman explained. “This allows defenders to inspect each of those components individually, and focus in three different ways – one, what intelligence they have; two, what special skills do the defenders have to enrich the data they have; three, what defense mechanisms do they have to disrupt a part of the attack.”
That knowledge “streamlines the response/defense capability and makes it more effective,” he added.