Out with the old, in with the… Old Phantom Crypter, which despite its name is actually a new Microsoft Office exploit builder that’s been surpassing its predecessors in popularity among the cybercriminal community.

Gabor Szappanos, principal malware researcher at SophosLabs, described the ascendance of Old Phantom yesterday in a company blog post, which links to a more detailed technical paper. According to the post, most users of the builder are based in Nigeria and Russia, while the majority of victims (based on Q3 statistics) are located in America and Western Europe.

Old Phantom Crypter first emerged roughly 11 months ago, originating as a PE cryptor before adding the Microsoft Office exploits capabilities as a means to deliver the executable, 
Szappanos reports.

Over the past year, “The old, established, dominant ‘brands’ of maldoc builder tools (like Microsoft Word Intruder, Ancalog and AKBuilder) were abandoned,” says Szappanos in the blog post, “and these previously dominant builders have been completely wiped out of the ecosystem,” replaced by Old Phantom Crypter and several other newcomers.

A .Net executable, the builder “supports a wide selection of Microsoft Office exploits, from the archaic CVE-2010-3333 to the recent CVE-2017-11882 Equation Editor exploit,” the blog post states.

Sophos has observed Old Phantom Crypter available on the dark web for a $199 per month subscription. “Additionally, we can estimate the number of customers to be around 100,” Szappanos reports.