Cybercrime groups are using a new malicious document builder known as EtterSilent as part of recent campaigns that have dropped a number of different malware strains, including TrickBot and Bazar loader.
The EtterSilent builder is one of a handful of utilities that aspiring cybercriminals can buy on underground forums to help them construct effective and authentic-looking malicious documents to use in phishing or ransomware campaigns. The builders can produce specific types of documents, such as Word or Excel documents, that contain malicious content, such as exploits or malicious macros. Attackers can then use the documents as lures in their campaigns without going through the effort of building the documents themselves.
In the case of EtterSilent, researchers have seen it used recently by several separate cybercrime groups to deliver fake DocuSign templates to victims. The builder can produce two different types of documents: one that contains an exploit for an old Office vulnerability, or one that uses a malicious macro. EtterSilent first emerged in the middle of last year, and while it has taken some time for it to gain momentum, it’s rolling now.
“There has been a steady rise recently and it has been persistent and is gaining notoriety now. It is quite cheap for a builder, at just a few dollars per build, and I think that combined with the fact that the authors spent considerable time on obfuscation is making it quite popular,” said Brandon Hoffman, CISO at Intel 471, which analyzed recent campaigns using EtterSilent.
Those campaigns have used different lures, but the DocuSign template can be an especially effective one, given that DocuSign is a very common tool in enterprise environments and many people are accustomed to seeing such notifications in their inboxes.
“That relationship with Bazar is interesting, and there have been a rash of follow-ups that have dropped Ryuk."
“The malicious document, when opened, shows a template that poses as DocuSign, the popular software that allows individuals and organizations to electronically sign documents. The maldoc then leverages Excel 4.0 macros stored in a hidden sheet, which allow an externally-hosted payload to be downloaded, written to disk and executed using regsvr32 or rundll32. From there, attackers can follow up and drop other assorted malware,” researchers from Intel 471 said in a post on the builder.
The sale and use of builders is part of the larger cybercrime ecosystem, which has its own division of labor, specialized developers, initial access brokers, ransomware operators, and payment processors. Hoffman said EtterSilent fits neatly into that economy and is emblematic of the wide variety of tools available to cybercriminals and the ways in which they can be pieced together to deliver full campaigns.
“When you look at the extended kill chain, it’s interesting to see this builder dropping maldocs, which then lead to another loader, and then potentially to ransomware. It speaks to the variety of services people are consuming on the underground,” Hoffman said.
“There are entire marketplaces dedicated to just selling initial access, so even if you don’t have the skills to move laterally or take over Active Directory once you’re in, you can sell that access to someone else.”
Intel 471 intelligence analysts have seen EtterSilent used by several popular banking trojans, including BakBot, Qbot, and Gozi, and the backend infrastructure for these campaigns is being hosted by a well-known bulletproof hosting provider, Yalishanda. The builder has also been seen in campaigns involving BazarLoader, a piece of malware that’s closely associated with TrickBot.
“That relationship with Bazar is interesting, and there have been a rash of follow-ups that have dropped Ryuk,” Hoffman said.