New Malicious Document Builder Named “EtterSilent” Used by Top Hackers Groups

A new hacking tool for carrying out email attacks has been promoted by the threat actors on hacker forums since at least the middle of last year. 

According to the advertisements placed and promoted on the hacker forums, its use accommodates to effectively bypass Windows Defender, Windows AMSI (Antimalware Scan Interface) and security filters of popular email services, including Gmail.

The cybersecurity researchers at Intel 471 security firm has shown that “EtterSilent” can create two types of fake Microsoft Office documents – with an exploit or a malicious macro.

How Does It Work?

Among the exploits in the builder’s arsenal are CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802, the use of which is pointless on Windows with the latest version of Microsoft Office.

Generally, the email attackers favour the malicious macro option mostly, as it is compatible with any version of Microsoft Office supported by EtterSilent (2007-2019). 

Here, the potential victim only needs to be convinced to activate the appropriate function; and such documents are still being distributed by the threat actors on behalf of DocuSign or DigiCert. 

However, it’s noteworthy that in this case, the Microsoft Excel 4.0 XML macro is used, and not VBA, while in most other analogues, the secondary option is used most of the time by the threat actors.

Low Detection Pulls Big Names

At the moment, signs of using EtterSilent are seen in emails aimed at distributing Trickbot, BazarLoader, as well as banking Trojans like IcedID/BokBot, QakBot/QBot and Ursnif, Rovnix, Gozi, and Papras.

Builders of malicious Microsoft Office documents that make it easier for cybercriminals have been created before. As the use of these types of tools proves itself until a database of fake signatures created with their help. 

So, a week ago, the results of using EtterSilent, according to the cybersecurity experts, is distinguished by only a few antivirus scanners from the VirusTotal set, and now they are detected by a third or even half.

As a big part of the cybercrime economy, the threat actors use these types of mediums like EtterSilent. There are many threat actors in the wild, and each of them are just perfect players in their respective area.

While now if we talk about the fields, where they are prominent, are hosting, spam infrastructure, maldoc builders, malware as a service, and together they find many more ways to abuse the products or services.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.