A new Microsoft Office document exploits builder kit, called ThreadKit, is used by the hackers to distribute a variety of malicious payloads, including banking Trojans and backdoors.
Researchers discovered the kit being advertised on a forum. The forum post says that this new cybersecurity troublemaker it can be used to create documents with embedded executables and embedded decoy documents.
It was already observed documents compiled with this new exploit kit builder. The documents would perform an initial check-in to the command and control (C&C) server, a tactic also used by MWI.
This new documents are using CVE-2017-0199 vulnerability and are focused on downloading and executing an HTA file that downloads a decoy document and a malicious VB script that would extract and run the embedded executable. The payload delivered by them is Smoke Loader, which is used to download a banking malware. ThreadKit can be used to create documents that are using CVE 2017-8759 and CVE 2017-11882 as well, and în its newest update the kit was embedded with new exploits, which are targeting vulnerabilities such as an Adobe Flash zero-day (CVE-2018-4878) and several new Microsoft Office vulnerabilities, including CVE-2018-0802 and CVE-2017-8570.
It is impressive how fast things can move, nowadays powerful and potent tools like this can receive updates every month în order to be one step ahead of all most any cybersecurity solution.
Every system can be protected from this infected doc files by installing a top cybersecurity solution like an antivirus.
Depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac. Companies should run extra tests like penetration test and ethical hacking test on their network to be safe and secured.
Another consequence of this new toolkit that we’ve noticed is a significant spike in email campaigns that are using ThreadKit-generated Office attachments. Many of this Office attachments have embedded multiple exploits that appear to be copied from proofs of concept available on GitHub repo.
During our malware analysis, we observed that these attachments would drop the contained packager objects into the temp folder and then the exploits would execute the dropped scriptlet file.
It was also discovered that not all ThreadKit documents contain a valid URL and that not all documents followed the same execution chain, some scripts are modified to perform other actions which represent customization that may be provided as a service by the kit author.
Document exploit builder kits like ThreadKit are very dangerous for because they can be used by low-skilled threat actors to take advantage of the latest vulnerabilities to distribute malware.
To mitigate the risk from ThreadKit and other document exploit-based attacks depending on which version of OS your device runs, please install an antivirus for Windows or antivirus for Mac.
If you are a company, make sure that you hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking tests.