According to researchers at Intel 471, a new malicious document (maldoc) builder called EtterSilent has been heavily advertised on criminal forums since mid-2020. Top malware cybercriminals have begun using EtterSilent in some of their campaigns. Ads for EtterSilent on criminal forums touted the builder’s capabilities, such as bypassing Windows Defender, Windows AMSI (Antimalware Scan Interface), and slipping past the filtering systems of popular email services, including Gmail. The seller has been offering weaponized documents for Microsoft office 2007-2019 in two types, an exploit for a known vulnerability or one with malicious macros. The malicious document with macros has been more popular and can pose as a Docusign or DigiCert document that asks users to enable macros, then downloads a payload in the background. The developer behind EtterSilent continues to move their advertisement around making it harder to track and because of its low detection rate, it has become popular with versions of Trickbot and the groups behind the BazarLoader and BazarBackdoor malware. Other banking trojans and ransomware groups have also begun using EtterSilent.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in