According to researchers at Intel 471, a new malicious document (maldoc) builder called EtterSilent has been heavily advertised on criminal forums since mid-2020. Top malware cybercriminals have begun using EtterSilent in some of their campaigns. Ads for EtterSilent on criminal forums touted the builder’s capabilities, such as bypassing Windows Defender, Windows AMSI (Antimalware Scan Interface), and slipping past the filtering systems of popular email services, including Gmail. The seller has been offering weaponized documents for Microsoft office 2007-2019 in two types, an exploit for a known vulnerability or one with malicious macros. The malicious document with macros has been more popular and can pose as a Docusign or DigiCert document that asks users to enable macros, then downloads a payload in the background. The developer behind EtterSilent continues to move their advertisement around making it harder to track and because of its low detection rate, it has become popular with versions of Trickbot and the groups behind the BazarLoader and BazarBackdoor malware. Other banking trojans and ransomware groups have also begun using EtterSilent.
Analyst Notes
As with many malicious campaigns, threat actors using EtterSilent are relying on their victims to open the malicious documents that are sent to them. EtterSilent is being sold for a relatively low price, making it popular amongst threat actors. Best security practices, such as enabling Microsoft’s Attack Surface Reduction (ASR) rules that prevent Office documents from being able to launch external programs should be in place to prevent threat actors from being able to infect a company with these documents. EtterSilent has a very low detection rating according to Virus Total, which makes it hard for these documents to be found before they make it through email filtering. The first thing a company can do is make sure all its systems are patched and up to date. This will prevent the vulnerability part of EtterSilent from being useful to threat actors. The next thing companies should do is see if their organization can function without the use of macros on their Word documents and set them to “disabled” by default. Proper security training for employees is important because if they are disabled by default, users can still turn them on. Binary Defense recommends having monitoring in place such as their Managed Detection and Response (MDR) that can look out for and detect when suspicious behavior occurs on endpoints and take immediate action to quickly stop the attack.
More can be read here: https://www.bleepingcomputer.com/news/security/ettersilent-maldoc-builder-used-by-top-cybercriminal-gangs/
