Researchers at Proofpoint have uncovered a sophisticated tool commonly used by malicious actors to build weaponized documents for phishing campaigns.

Dubbed LCG Kit, the service has helped small crime groups create docs capable of spreading a variety of remote access trojans and information stealers, such as Loki Bot, FormBook, Agent Tesla, Remcos, AZORult, REvcode RAT and Quasar RAT.

Discovered in March of this year, LCG Kit is unique, Proofpoint explains in a Dec. 13 blog post, because its code “is highly obfuscated using polymorphic shellcode and a Linear Congruential Generator (LCG) – an algorithm to generate a sequence of pseudorandom numbers – to encrypt the final stage of the code, including the payload locations.”

Over the last year, LCG Kit has evolved, adding exploits for the Microsoft’s Equation Editor and Windows VBScript engine, and adding malicious macro functionality for Microsoft Word documents.

Proofpoint says LCG Kit can produce documents in a number of formats, including RTF, Word, Excel and PDF.

“Exploit document builders like LCG Kit… make it easy for threat actors to create malicious documents for use in email campaigns,” the Proofpoint blog post states. “Because LCG Kit supports both exploits and macros, operators have a number of options for ensuring delivery of their malware payloads, whether transparently as soon as victims open the document on a vulnerable PC or via social engineering to enable macros.”