Exploit Kit Adds Statistics Tool

Wednesday, April 8, 2015 @ 02:04 PM gHale

One key factor to gauge web success is showing statistics or analytics. Malware developers are no different as the creators of the exploit kit Microsoft Word Intruder (MWI) released a web-based tool that offers attackers better control of their operation and statistics.

Released in December 2014, the additional package for MWI is in PHP and called MWISTATS. It can end up installed on a server that receives requests from the victims.

Trojan Doing Recon in Energy Sector
Cyber Espionage Discovered after 3 Years
Incidents Down; APTs on Rise
Security: A Presidential Mandate

MWI is a builder that creates rogue Word documents by injecting exploit code for various vulnerabilities that affect MS Word versions 2003 through 2010.

The latest version for MWI is 4.0 and includes exploits as old as 2010 and newer ones, identified in 2014, said researchers at FireEye. The list includes CVE-2010-3333, CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761 (which sees use in targeted attacks).

The sellers of the exploit kit advertised it on the forums since May 2013, but FireEye said a private version may have circulated before then. They sell it for a price ranging between $2000 – $3500 only to those using it in targeted, APT-style attacks, forbidding its usage in spam campaigns.

“In fact, one of the conditions of the sale of the MWI builder is that the license can be revoked if MWI is used in spam campaigns,” said FireEye researchers in a blog post.

MWISTAT provides details about the time the rigged Word document opened and the malware downloaded. The IP address of the victim and the user-agent are also available to the cybercriminals.

However, the functionality of the tool not only offers statistics, it is also suitable for changing the malicious payload served to victims, each executable receiving an identification number. The download link then appends to the documents. The payload ID allows the operator to track multiple campaigns.

All requests from the compromised computers end up logged by the server giving the attacker a clear view of the affected IP addresses, the payloads requested and served.

Suspicious connections, which the malware author, an individual calling himself Objekt, explains as being associated with unwanted activity, such as that from antivirus companies or researchers.

One version of MWISTAT also provided information about the version of MS Word used to open the document.

According to the researchers, MWI saw use in spam campaigns, despite the restriction imposed by the seller. One operation lured the potential victim with promises of discounts for holiday shopping while another baited with messages regarding shipping information.

FireEye found in the case of the first MWISTAT campaign the command and control (C&C) server recorded 809 users from 43 countries had opened the malicious file, but only 144 downloaded the payload. Most of the victims are from Canada (41 percent), followed by Australia (31 percent) and the U.S. (13 percent).

In the second operation, the logs covered the period between December 12, 2014 and January 6, 2015 and showed that 597 users opened the Word files and 180 of them infected their systems. Most of the victims were from Vietnam (18 percent), the U.S. (12 percent) and China (9 percent).

“A wide variety of cybercriminals, even those with minimal technical capability, now have access to document exploits through the purchase of Document Exploit Kits such as ‘Microsoft Word Intruder’. Much like Browser Exploit Kits, these tools allow operators to track a variety of campaigns and information about their victims in order to improve their effectiveness,” FireEye said.

Leave a Reply

You must be logged in to post a comment.