Malware Author Stamped Code For Targeted Attacks Only

  /     /     /  
Publicated : 22/11/2024   Category : security


Malware Author Stamped Code For Targeted Attacks Only


When the Microsoft Word Intruder Office malware creation kit got too high-profile, the developer changed terms of service, Sophos report says.



The author and operator of the most influential Office malware creation kit today, according to researchers at SophosLabs, has decided to market his wares only to targeted attackers, rather than spammers or others launching broad campaigns. Russian developer Objekt has even written it into the terms of service for his Microsoft Word Intruder (MWI) -- an Office malware creation kit used by at least a dozen different cybercrime groups to deliver payloads via malicious documents, often attached to emails.
MWI generates rich text documents that can exploit a variety of vulnerabilities in Word. It delivers payloads through either a dropper -- which embeds executables directly -- or a downloader -- which uses shellcode to download the payload. It uses a polymorphic decryptor and has a module called MWISTAT that keeps track of attack campaigns and infection rates.
Objekt wasnt always choosy about the kinds of attacks MWI was used for. MWI first appeared in May 2013, and Sophos now believes MWI was in wide use by early 2014, when Sophos released a report stating that financially motivated cybercriminals had begun to routinely use malicious documents to deliver malware, a tactic previously popular only with nation-state actors. Interestingly, states the report, MWI’s dominance had faded away by the end of 2014, apparently by design.
As security teams efforts to thwart MWI increased, Objekts efforts to evade them necessarily increased, until hed had enough and simply changed his terms and conditions to make sure that his customers only used MWI for small attacks that might more likely go undetected. As the report quotes:
1. Exploit DESIGNED EXCLUSIVELY FOR POINT (“Targeted”, “TARGET”) attacks. INDICATIVE PRICE FOR BUILDER: 140$
2. Exploit THIS DOES NOT QUALIFY FOR SPAM AND MASSIVE ATTACK! FOR THIS WE HAVE A SEPARATE DECISION.
The change did not keep MWI out of the spotlight altogether, though. In April, it was used in the
elegant attack that used CareerBuilder
as an innocent middle-man. Attackers browsed job listings on CareerBuilder, submitted resumes that were actually malicious documents infected with MWI droppers or downloaders. CareerBuilder would then send a notification email to the employer with that malicious document attached, and were highly likely to open it because it was coming from a source they trusted and contained content they had asked to receive.
Sophos found MWI distributing payloads from over 40 different malware families, including info-stealers, banking Trojans, and remote access Trojans. The most common were Zeus/Zbot (25%) and Carberp (18%), a Trojan backdoor that was popular with
Carbanak
, the infamous billion-dollllar international cybercrime ring.  

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Malware Author Stamped Code For Targeted Attacks Only