Microsoft Word Intruder, the tool that creates document based malware

37168717_sIn the modern era of cyber security, the use of malware has become a highly profitable business. This captures the interest of several crooks who are willing to make quick cash of unsuspecting victims. Microsoft Word Intruder (MWI) is a new tool that allows even inexperienced crooks to write advanced malware. As stated by nakedsecurity, the malicious tool generates “booby-trapped” MS Office files. The malware creating application was probably developed in Russia with the obvious intention of making money by selling it to novice hackers.

The malware creation tool that can drop or download and then infect

MWI was advertised in the underground by an individual who goes by the handle Objekt. The malicious tool creates infected Rich Text Format (RTF) documents that exploit multiple vulnerabilities in MS Word to infect the victim’s computer.

The malware created by MWI can be of two types:

  • Droppers – In this case, the malicious payload used by the infecting application is present locally. This means the infection process can take place offline as all the required components come in one package (the main malware component is extracted or dropped after execution).
  • Downloaders – These only come with the URL of the malicious payload meaning that the infection process requires downloading additional stuff from the internet. Although this may seem like a more difficult infection process, it also means that a new and more dangerous malware can be downloaded whenever the threat is executed.

Droppers are more common but both these infections mechanisms are widely used.

MWI malware can be tracked by attackers and used to steal financial information

Since December 2014, MWI has also developed a special tracking feature known as MWISTAT which writes a distinct URL to the generated RTF files. This allows cyber criminals to keep track of their malware campaigns and the samples involved.

To avoid general user suspicion, The MWI malware also comes with a legitimate looking decoy document which hides the abnormal behavior (Word crashing or quitting) immediately after loading a file. The recent versions of this kit attempt to exploit four different vulnerabilities namely, CVE-2010-3333, CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761 with the 2010 and 2012 vulnerabilities being the most prevalent attack vector. It was also found that variants of Zbot or Zeus malware were the ones being predominantly used. This malware family is often used to steal important financial information and login credentials, sometimes with the use or ransomware like CryptoLocker.

It is clear that document based malware is being spread widely, especially with the help of spam emails. Thus a cautious approach towards attachments and up to date anti-malware protection is the key to keeping such rats out of your system.

Have a nice (malware-free) day!