Top Cybercriminal Gangs Are Using EtterSilent Maldoc Builder
EtterSilent Is Gaining More Attention on Underground Forums as Its Popularity Increases.
A malicious document builder named EtterSilent is becoming popular amongst cybercriminals as the developers keep improving it in order to avoid being detected by security solutions.
In a try to increase their payload delivery success rate the cybercriminals started to include EtterSilent in their campaigns more often.
EtterSilent maldoc builder is being promoted on underground forums since at least mid-2020, boasting features like bypassing Windows Defender, Windows AMSI (Antimalware Scan Interface), and popular email services like Gmail.
The researchers at threat intelligence company Intel 471 discovered the fact that the seller is offering weaponized Microsoft Office (2007 through 2019) documents in two ‘flavors’, with an exploit for a known vulnerability or with a malicious macro.
CVE-2017-8570 is one of the vulnerabilities exploited having a high-severity remote code execution, alongside two other vulnerabilities (CVE-2017-11882 and CVE-2018-0802).
It seems that the variant containing the macro is the more popular variant, probably because of having a “lower pricing and higher compatibility when compared to the exploit.”
It’s interesting that an EtterSilent maldoc with macro code is able to behave just as a DocuSign or DigiCert document by asking users to enable support for macros and therefore download a payload in the background.
EtterSilent it’s using Excel 4.0 XML macros, and therefore does not depend on the Visual Basic for Applications (VBA) programming language.
The maldoc then leverages Excel 4.0 macros stored in a hidden sheet, which allow an externally-hosted payload to be downloaded, written to disk, and executed using regsvr32 or rundll32. From there, attackers can follow up and drop other assorted malware.
EtterSilent maldoc was included in a recent spam campaign, meant to drop an updated version of Trickbot, by using the same method as from March 19 in order to infect systems with BazarLoader/BazarBackdoor, but EtterSilent was also used to deliver various ransomware strains (Ryuk, Conti, Maze, Egregor, ProLock).
The researchers discovered that other cybercriminal groups leveraged EtterSilent services for their operations as well, amongst them being banking trojans IcedID/BokBot, Ursnif/Gozi ISFB, and QakBot/QBot.
Attackers as prolific as the ones mentioned before are constantly trying to find new ways to distribute their malicious payloads while drawing as little attention as possible, therefore the EtterSilent maldoc service is a good asset for them.
In March, some weaponized documents built with this tool went completely undetected by all antivirus engines included in a scanning service, but a week ago, a few antivirus engines detected one weaponized document built with this tool, and now the detection capacity is rapidly increasing with each passing day.
EtterSilent was selling a normal build with $13o, and another tier with $230, this amount being asked for building a custom stub that makes malicious files unique by encrypting them.