Wednesday, October 9, 2024
HomeHacksNew Malicious Document Builder Named "EtterSilent" Used by Top Hackers Groups

New Malicious Document Builder Named “EtterSilent” Used by Top Hackers Groups

Published on

A new hacking tool for carrying out email attacks has been promoted by the threat actors on hacker forums since at least the middle of last year. 

According to the advertisements placed and promoted on the hacker forums, its use accommodates to effectively bypass Windows Defender, Windows AMSI (Antimalware Scan Interface) and security filters of popular email services, including Gmail.

The cybersecurity researchers at Intel 471 security firm has shown that “EtterSilent” can create two types of fake Microsoft Office documents – with an exploit or a malicious macro.

- Advertisement - EHA

How Does It Work?

Among the exploits in the builder’s arsenal are CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802, the use of which is pointless on Windows with the latest version of Microsoft Office.

Generally, the email attackers favour the malicious macro option mostly, as it is compatible with any version of Microsoft Office supported by EtterSilent (2007-2019). 

Here, the potential victim only needs to be convinced to activate the appropriate function; and such documents are still being distributed by the threat actors on behalf of DocuSign or DigiCert. 

However, it’s noteworthy that in this case, the Microsoft Excel 4.0 XML macro is used, and not VBA, while in most other analogues, the secondary option is used most of the time by the threat actors.

Low Detection Pulls Big Names

At the moment, signs of using EtterSilent are seen in emails aimed at distributing Trickbot, BazarLoader, as well as banking Trojans like IcedID/BokBot, QakBot/QBot and Ursnif, Rovnix, Gozi, and Papras.

Builders of malicious Microsoft Office documents that make it easier for cybercriminals have been created before. As the use of these types of tools proves itself until a database of fake signatures created with their help. 

So, a week ago, the results of using EtterSilent, according to the cybersecurity experts, is distinguished by only a few antivirus scanners from the VirusTotal set, and now they are detected by a third or even half.

As a big part of the cybercrime economy, the threat actors use these types of mediums like EtterSilent. There are many threat actors in the wild, and each of them are just perfect players in their respective area.

While now if we talk about the fields, where they are prominent, are hosting, spam infrastructure, maldoc builders, malware as a service, and together they find many more ways to abuse the products or services.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Telegram Bot Selling Phishing Tools to Bypass 2FA & Hack Microsoft 365 Accounts

A newly discovered phishing marketplace, ONNX Store, empowers cybercriminals to launch sophisticated attacks against...

Mobile Device Management Vendor Mobile Guardian Hacked

 Mobile Guardian, a leading Mobile Device Management (MDM) vendor, experienced unauthorized access to its...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...