A tool called EtterSilent is becoming popular with cyber criminals in the northern hemisphere: it creates contaminated documents (maldoc builder) and has the possibility to add the Docusign layout as a cover to make victims click on the buttons and thus install malware.
EtterSilent appeared in mid-2020 on cybercriminal forums that converse in Russian. Yesterday, researchers from the threat intelligence company Intel 471 published a post stating that vendors of the tool are now offering a version that generates two types of contaminated Microsoft Office documents: the first with an exploit for an already known vulnerability and the other with an malicious macro.
EtterSilent maldoc with macro code is what can behave like a DocuSign or DigiCert document, according to Intel 471, asking users to enable support for macros and therefore download the payload in the background. It is using Excel 4.0 XML macros and therefore does not depend on the Visual Basic for Applications (VBA) programming language. In promotions in clandestine forums EtterSilent is presented as being able to bypass Windows Defender, Windows AMSI (Antimalware Scan Interface) and scan popular email services like Gmail.
The tool is being used in many malware campaigns: it appeared in a recent spam campaign bringing an updated version of Trickbot. In that campaign, the document was attached to an email disguised as an invoice from a well-known multinational appliance manufacturer.
On March 19, 2021, EtterSilent appeared in a loader Bazar campaign: the analyzed maldoc did not use a DocuSign model, but the main Excel spreadsheet was called “DocuSign”. The maldoc downloads the Bazaar payload, which in turn connects to an address from where the Bazar’s backdoor is located.
With international news agencies
See the original post at: https://www.cisoadvisor.com.br/documentos-contaminados-sao-disfarcados-com-layout-da-docusign/?rand=59039
