A new hacking tool for carrying out email attacks has been promoted by the threat actors on hacker forums since at least the middle of last year bypassing security passes on Defender, Security filters of famous email engines such as gmail.
Dubbed “EtterSilent” can create two types of fake Microsoft Office documents – with an exploit or a malicious macro.Among the exploits in the builder’s arsenal are CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802, the use of which is pointless on Windows with the latest version of Microsoft Office.
The email attackers favour the malicious macro option mostly, as it is compatible with any version of Microsoft Office supported by EtterSilent (2007-2019).
Victims only needs to be convinced to activate the appropriate function; and such documents are still being distributed by the threat actors on behalf of DocuSign or DigiCert.It’s noteworthy that in this case, the Microsoft Excel 4.0 XML macro is used, and not VBA, while in most other analogues, the secondary option is used most of the time by the threat actors.
Signs of using EtterSilent are seen in emails aimed at distributing Trickbot, BazarLoader, as well as banking Trojans like IcedID/BokBot, QakBot/QBot and Ursnif, Rovnix, Gozi, and Papras.
Builders of malicious Microsoft Office documents that make it easier for cybercriminals have been created before.The threat actors use these types of mediums like EtterSilent. There are many threat actors in the wild, and each of them are just perfect players in their respective area.