Threat Management, Malware, Ransomware

Hackers rush to new doc builder that uses Macro-exploit, posing as DocuSign

DocuSign Headquarters. (Coolcaesar is licensed under CC BY-SA 4.0)

Researchers at Intel471 have identified a new malicious document builder that has gone from a new, relatively unknown exploit to being incorporated into the attack chains of top cybercriminal groups in less than a year.

The builder, dubbed EtterSilent, comes in two flavors: one version exploits an old remote code execution vulnerability in Microsoft Office and another uses a Macro-based exploit and is designed to look like DocuSign, a popular software program that allows individuals or businesses to electronically sign documents.

Researchers at Intel471 first observed the builder being advertised on Russian online cybercriminal forums in June 2020. Starting in January of 2021 and throughout the year, the company has seen it used in Trickbot and BazarLoader campaigns as well as banking trojans like BokBok, Gozi ISFB and QBot.

Brandon Hoffman, Intel471’s chief information security officer, told SC Media that EtterSilent’s journey from a new product to its injection into the hacking mainstream is indicative of the way cybercriminal groups like to take their time to workshop and test a new tool in order to find the right technical tweaks and price point before they become more widely adopted. Since coming onto the market, EtterSilent has been constantly updated to avoid detection.

“As it is with all of these cybercrime service providers, it takes a little while for people to try it, they vet it out, see that it works, sometimes you make adjustments and then depending on how it’s priced and how it works and how well its detected by defense technology, it starts to gain popularity if observations are low and the price is right,” said Hoffman.

The macro version of EtterSilent has become the more popular of the two choices, and Hoffman said two factors may be driving cybercriminal groups towards this version. First: at an initial cost of around $9, it’s a surprisingly cheap deal for a unique build on a Macro-based exploit. The second reason is that the malware authors spent an unusual amount of time building in sophisticated obfuscation techniques.

“If you cross check it against things like VirusTotal, there’s not a lot of observations because the obfuscation tactic is so well implemented and they seem to be keeping it up” with regular updates, Hoffman said. “When you combine the price with the obfuscation tactic, there’s a better chance that they’ll have a successful initial attack vector.”

It’s use in Trickbot and BazarLoader campaigns puts EtterSilent at the front end of attack chains for two of the most popular ransomware precursors in the world. Hoffman said Intel471 doesn’t deploy endpoint detection technologies and can’t confirm that EtterSilent is being used in ongoing ransomware attacks, but noted it could be easily inserted into the known attack chains of many ransomware groups.

“We’ve seen attacks where Ryuk [ransomware] and Bazar have been linked, and now Bazar is being linked to EtterSilent, so it’s a strong hypothesis that if it hasn’t happened, somebody is going to go down that path,” said Hoffman.

Additional technical information on EtterSilent, including indicators of compromise, can be found on Intel471’s website.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.