RSA 2017: Microsoft Word Intruders step outside Office for the first time

This is the last instalment of a four-part series about SophosLabs’ 2017 malware forecast, released this week at RSA Conference in San Francisco. Part 1 looked at malware targeting Linux and Internet-of-things (IoT) devices. Part 2 examined malware targeting Android. Part 3 was about malware designed for macOS. Today we look at Windows-based threats. Special thanks to SophosLabs researchers Gábor Szappanos, Michael Wood and Richard Cohen for contributing the research for this part.

Though much of this report has focused on malware directed at platforms where the risks are often not as well understood – specifically Linux, MacOS and Android devices – there’s no doubt that Windows remains the largest battlefield for attackers.

SophosLabs has paid particular attention of late to Microsoft Word Intruder (MWI), one of the best known Office exploit builders and certainly one of the most popular in cybercrime groups.

Based on what SophosLabs saw in 2016, MWI is undergoing continuous tweaks to expand the target range.

Beyond the Office

The author of this kit keeps updating the product. The most frequent updates are geared toward avoiding AV detections, but from time to time new exploits are added to the kit. Having new exploits increases the chance of successfully infecting targets. The newer the exploit, the greater the chance that the vulnerability has not been fixed yet.

Traditionally, MWI has used popular Microsoft Office exploits to get at its victims.

But the latest update, released some time around the beginning of August, adds a new twist: for the first time in the history of MWI, a non-Office exploit was added.

Specifically, the exploit targeted vulnerabilities in Adobe Flash Player outlined in CVE-2016- 4117. This exploit was also added to major exploit kits such as Angler, Neutrino and Magnitude in May 2016. In one scenario, a vulnerable Flash object was embedded into the Rich Text Format document. An external layer would decrypt the internal layer (it is stored in the DefineBinaryData internal storage), then load it.

This method was used by the once popular Angler Exploit Kit and it’s reasonable to assume that the author of MWI took the idea from there.


We identified a handful of documents generated with the new version of MWI. Most of them dropped Swrort, a simple backdoor that makes it possible to download and execute external programs, or execute commands and Powershell scripts.

The other malware in some of the delivered payloads was Latentbot, a highly encrypted bot. For the Latentbot infections, there were only a few infected endpoints, mostly in the USA, UK and China, as the map below shows:


SophosLabs will continue to watch for additional mutations of MWIs. Now that its toolbox has expanded beyond Office, 2017 could prove interesting.