Thanks to Gabor Szappanos of SophosLabs for the technical work
that forms the basis of this article.
Malware construction kits aren’t new.
Back in the early 1990s, for example, DOS-based tools such as VCL (Virus Creation Laboratory) and PS-MPC (Phalcon-Skism Mass Produced Code Generator) lowered the barrier of entry to virus “writing”.
In those early days, the main purpose of malware creation tools was to give non-techies entry into the virus writing counterculture.
Nowadays, the main purpose is business, plain and simple: to generate income by selling malware generation services in the underground cyberthreat marketplace.
The early malware generators produced executable files (programs), but today, you can buy generators to produce booby-trapped MS Office files.
A contemporary example is MWI, short for Microsoft Word Intruder, most likely developed somewhere in Russia.
Because MWI isn’t widely known or circulated, we had assumed until recently that many malware samples we now consider to have been generated with it had been produced by hand, using the old-fashioned but effective approach of copy-and-paste.
But following a recent article by FireEye, it became obvious that this “copy-and-paste” was, in fact, an automated process.
The kit was probably developed in Russia, where it has been advertised on the underground by an individual who goes by the handle Objekt.
MWI generates Rich Text Format (RTF) documents that are booby-trapped to exploit vulnerabilities in Microsoft Word.
In fact, the latest versions of MWI can deliver multiple vulnerabilities in the same document, stacked one after another.
Because we don’t have access to the MWI creation kit itself, we can’t be completely certain which samples in our malware collection really were created with it, but we can make some educated guesses.
Notably, as reported by FireEye, samples produced since December 2014 have included a special tracking feature called MWISTAT, which embeds a distinctive URL in the generated RTFs:
While these URLs help the crooks keep track of their malware campaigns, they also let us keep track of the malware samples involved.
Running a similarity analysis on our malware collection suggests that we already have about 160 MWI-created attack documents.
Droppers and downloaders
Malware delivered in booby-trapped Office files tends to fall into two categories:
- Droppers include one or more encoded malware programs (EXE files) as data that are unscrambled and written directly to disk during the infection process. This means that once you have received the booby-trapped file, in an email perhaps, you already have all components of the final malware available locally, so the infection can proceed even if you are offline.
- Downloaders contain a URL from which the final infectious malware payload is downloaded and installed. This means that you can’t predict exactly what malware the booby-trapped files might deliver, because the attackers can vary the download at will. But it does mean that if you can block the “callhome” URL, the original RTF attack file becomes effectively harmless.
We’ve seen MWI-created malware of both types, with slightly more droppers than downloaders.
Booby-trapped documents and spreadsheets usually carry some sort of decoy document along with their malicious code.
Because Office exploits often cause Word or Excel to crash or exit unexpectedly, opening an infected file often arouses suspicion, because the promised document never appears.
Decoys are secondary documents, often exact copies of perfectly legitimate files (such as articles and news items) ripped off from the internet, that are deliberately popped up by the original booby-trapped file as a cover-up for the unexpected termination of Word or Excel.
But none of the 160 MWI samples in our collection include a decoy document feature, which is surprising.
After all, it is somewhat suspicious that after opening a document received in email, Word crashes or exits and nothing visible happens.
Fortunately, quite a few of the MWI samples we analysed were buggy.
This is because recent versions of the creation kit try four different Office exploits in turn.
From oldest to newest, these are: CVE-2010-3333, CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761.
If your computer is patched against CVE-2012-0158 and CVE-2013-3906, the exploit code used in the booby-trapped RTF file doesn’t trigger on those vulnerabilities, but falls through to the CVE-2014-1761 exploit code instead.
This fails about two-thirds of the time, due to the complicated structure of the juxtaposed exploits.
Of course, this doesn’t protect you from CVE-2014-1761 in general, so it doesn’t exonerate you from getting up to date with your Office patches – something that would protect you from all current MWI-generated samples, given the exploits that the MWI kit knows about so far.
We went back to a SophosLabs report on Advanced Persistent Threats (APTs) written at the beginning of 2014.
Interestingly, our “top attack” charts showed that a combination of CVE-2010-3333 and CVE-2012-0158 was the most prevalent attack vector:
And these attacks were predominantly used to distribute variants of the Zbot (also known as Zeus) malware:
Revisiting the samples from this period, it is now obvious that these dual-exploit samples were generated by MWI.
The Zbot/Zeus malware is commonly used for stealing online banking credentials and we’ve often seen it used to install ransomware like CryptoLocker.
As we said at the time:
Exploited documents, once used almost exclusively from players in the APT scene, are now used routinely in the sort of malware that is distributed widely by money-seeking cybercriminals.
Clearly, MWI has been an integral part of that money-motivated crimeware scene.