Saturday, July 20, 2024

New Malicious Document Builder Named “EtterSilent” Used by Top Hackers Groups

A new hacking tool for carrying out email attacks has been promoted by the threat actors on hacker forums since at least the middle of last year. 

According to the advertisements placed and promoted on the hacker forums, its use accommodates to effectively bypass Windows Defender, Windows AMSI (Antimalware Scan Interface) and security filters of popular email services, including Gmail.

The cybersecurity researchers at Intel 471 security firm has shown that “EtterSilent” can create two types of fake Microsoft Office documents – with an exploit or a malicious macro.

How Does It Work?

Among the exploits in the builder’s arsenal are CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802, the use of which is pointless on Windows with the latest version of Microsoft Office.

Generally, the email attackers favour the malicious macro option mostly, as it is compatible with any version of Microsoft Office supported by EtterSilent (2007-2019). 

Here, the potential victim only needs to be convinced to activate the appropriate function; and such documents are still being distributed by the threat actors on behalf of DocuSign or DigiCert. 

However, it’s noteworthy that in this case, the Microsoft Excel 4.0 XML macro is used, and not VBA, while in most other analogues, the secondary option is used most of the time by the threat actors.

Low Detection Pulls Big Names

At the moment, signs of using EtterSilent are seen in emails aimed at distributing Trickbot, BazarLoader, as well as banking Trojans like IcedID/BokBot, QakBot/QBot and Ursnif, Rovnix, Gozi, and Papras.

Builders of malicious Microsoft Office documents that make it easier for cybercriminals have been created before. As the use of these types of tools proves itself until a database of fake signatures created with their help. 

So, a week ago, the results of using EtterSilent, according to the cybersecurity experts, is distinguished by only a few antivirus scanners from the VirusTotal set, and now they are detected by a third or even half.

As a big part of the cybercrime economy, the threat actors use these types of mediums like EtterSilent. There are many threat actors in the wild, and each of them are just perfect players in their respective area.

While now if we talk about the fields, where they are prominent, are hosting, spam infrastructure, maldoc builders, malware as a service, and together they find many more ways to abuse the products or services.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles