Intel 471 researchers warn about a new scheme in which attackers mimic a popular document builder that ultimately deploys ransomware and banking Trojans.
According to Intel 471 research published on Tuesday, EtterSilent, the fake document builder, has been spotted on a Russian hacker forum. It comes in two versions: one exploits an MS Office vulnerability tracked as CVE-2017-8570, and another uses a malicious macro.
One version of EtterSilent resembles DocuSign, a popular digital signature service. When the target clicks the button to electronically sign documents, they are asked to enable macros. Once macros are allowed, the attackers target victims with malware.
According to Intel 471, EtterSilent operators implemented extensive concealment features in their tool which allows them to hide their activities. The tool has been constantly updated in recent months to add new features for avoiding detection.
EtterSilent is often used as a primary infection vector for other well-known malware. Last month, attackers used EtterSilent in conjunction with Bazar loader, which attackers can use to infect victims with additional malware or ransomware, according to the researchers. In one campaign having used EtterSilent, attackers dropped an updated version of a banking trojan Trickbot. In Attackers also used EtterSilent together with banking trojans BokBot, Gozi ISFB, and QBot, Intel 471 reminded.
The researchers note that the practice of renting such tools as EtterSilent serves as a sign of commoditization of cybercrime.
“The widespread use of EtterSilent shows how commoditization is a big part of the cybercrime economy,” the researchers note in a blog on Tuesday. “Different players specialize in their respective area, whether that be robust hosting, spam infrastructure, maldoc builders, or malware as a service, and find ways to leverage each other’s products in services by working together.”