Site icon Emsisoft | Cybersecurity Blog

Microsoft Word Intruder, the tool that creates document based malware


In the modern era of cyber security, the use of malware has become a highly profitable business. This captures the interest of several crooks who are willing to make quick cash of unsuspecting victims. Microsoft Word Intruder (MWI) is a new tool that allows even inexperienced crooks to write advanced malware. As stated by nakedsecurity, the malicious tool generates “booby-trapped” MS Office files. The malware creating application was probably developed in Russia with the obvious intention of making money by selling it to novice hackers.

The malware creation tool that can drop or download and then infect

MWI was advertised in the underground by an individual who goes by the handle Objekt. The malicious tool creates infected Rich Text Format (RTF) documents that exploit multiple vulnerabilities in MS Word to infect the victim’s computer.

The malware created by MWI can be of two types:

Droppers are more common but both these infections mechanisms are widely used.

MWI malware can be tracked by attackers and used to steal financial information

Since December 2014, MWI has also developed a special tracking feature known as MWISTAT which writes a distinct URL to the generated RTF files. This allows cyber criminals to keep track of their malware campaigns and the samples involved.

To avoid general user suspicion, The MWI malware also comes with a legitimate looking decoy document which hides the abnormal behavior (Word crashing or quitting) immediately after loading a file. The recent versions of this kit attempt to exploit four different vulnerabilities namely, CVE-2010-3333, CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761 with the 2010 and 2012 vulnerabilities being the most prevalent attack vector. It was also found that variants of Zbot or Zeus malware were the ones being predominantly used. This malware family is often used to steal important financial information and login credentials, sometimes with the use or ransomware like CryptoLocker.

It is clear that document based malware is being spread widely, especially with the help of spam emails. Thus a cautious approach towards attachments and up to date anti-malware protection is the key to keeping such rats out of your system.

Have a nice (malware-free) day!

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

 

Exit mobile version