Microsoft Word Intruder Revealed – inside a malware construction kit

Start thinking back, and bring to mind the big “Malware In The Media” stories of the last few years.

What did you come up with?

We let our minds go to town.


In particular, our first thoughts were of two rather different sorts of cyberattack, committed by two very different sorts of operator:

  • Malware that aims far and wide in order to make as much money for the crooks as quickly as possible. All publicity welcome, especially if it convinces people that paying up actually works. Example: CryptoLocker.
  • Malware targeted for a very specific purpose, such as industrial or political espionage. Publicity unwelcome, because the aim is to lie hidden until the bullseye is hit. Example: Stuxnet.

There are certainly plenty of defensive lessons to learn from each of these examples.

But there’s a fascinating middle ground, where cybercrooks from the first group are quietly adopting the more subtle approach of the so-called Advanced Persistent Threatsters of the second group.

And SophosLabs researcher Gabor Szappanos has just published a paper looking into this phenomenon.

Szappi, as we usually refer to him here, is popular with Naked Security readers with good reason: his papers are always both interesting and informative, worthwhile not only for lay readers but also for the more technical audience.

The paper is entitled Microsoft Word Intruder Revealed, and it digs into a rather special facet of cybercrime: the malware construction kit.

As the name suggests, Microsoft Word Intruder (MWI) focuses on sneaking malware onto your computer using booby-trapped Word files, rather than by using treacherous web links you have to click, or by embedding malicious Flash objects into poisoned online ads.

As Szappi explains in the paper, the creator of MWI is effectively offering an exploits-as-you-need-them malware creation service that “deskills” the Remote Code Execution (RCE) part of malware distribution.

You no longer need to know how to exploit Word yourself.

For a modest fee, you can have your malware packaged into personalised booby-trapped documents that you can email out to prospective victims.

However, there are terms and conditions!

Objekt, the Russian operator of MWI, requires his customers to tread softly.

You can deliver any sort of malware you like, but you have to agree not to do massive spam runs or to draw unnecessary attention to yourself.

In short, to buy into MWI you need to take the more subtle approach of the targeted attacker, even if your goal is to make money from anyone and everyone rather than to breach one specific target.

Has this fusion approach worked?

Szappi’s detailed research suggests that it has.

He found that MWI’s niche market has helped dozens of cybercrime groups to deliver many hundreds of different malware samples from numerous different malware families covering most major malware types.

Banking Trojans, bots, remote access tools: MWI has packaged and delivered them all, without drawing much attention to itself.

As Szappi concludes:

Even though the Microsoft Word Intruder kit is advertised for targeted attacks, which are usually associated with nation-state intrusions or other focused surveillance operations, it seems that its primary users are money-making cybercriminals aiming for smaller, less obvious, malware campaigns.

It seems that some cybergangs are learning that less really can be more.

Microsoft Word Intruder Revealed is not just a fascinating and well-organised paper, it also gives you some solid advice on real-world precautions you can take.

A well-recommended read.

NB. Sophos products detect and block MWI-generated documents under a variety of names, depending on which exploits are packaged into the file. If you want to review your email or endpoint logs, look for one or more of: Troj/DocDrop-DM, Exp/20120158-A, Exp/20141761-A and Troj/20141761-C.

Image of intruder courtesy of Shutterstock.