Malware Author Stamped Code 'For Targeted Attacks Only'

When the Microsoft Word Intruder Office malware creation kit got too high-profile, the developer changed terms of service, Sophos report says.

Sara Peters, Senior Editor

September 2, 2015

2 Min Read
Dark Reading logo in a gray background | Dark Reading

The author and operator of the "most influential Office malware creation kit today," according to researchers at SophosLabs, has decided to market his wares only to targeted attackers, rather than spammers or others launching broad campaigns. Russian developer "Objekt" has even written it into the terms of service for his Microsoft Word Intruder (MWI) -- an Office malware creation kit used by at least a dozen different cybercrime groups to deliver payloads via malicious documents, often attached to emails.

MWI generates rich text documents that can exploit a variety of vulnerabilities in Word. It delivers payloads through either a dropper -- which embeds executables directly -- or a downloader -- which uses shellcode to download the payload. It uses a polymorphic decryptor and has a module called MWISTAT that keeps track of attack campaigns and infection rates.

Objekt wasn't always choosy about the kinds of attacks MWI was used for. MWI first appeared in May 2013, and Sophos now believes MWI was in wide use by early 2014, when Sophos released a report stating that financially motivated cybercriminals had begun to routinely use malicious documents to deliver malware, a tactic previously popular only with nation-state actors. "Interestingly," states the report, "MWI’s dominance had faded away by the end of 2014, apparently by design."

As security teams' efforts to thwart MWI increased, Objekt's efforts to evade them necessarily increased, until he'd had enough and simply changed his terms and conditions to make sure that his customers only used MWI for small attacks that might more likely go undetected. As the report quotes:

1. Exploit DESIGNED EXCLUSIVELY FOR POINT (“Targeted”, “TARGET”) attacks. INDICATIVE PRICE FOR BUILDER: 140$

2. Exploit THIS DOES NOT QUALIFY FOR SPAM AND MASSIVE ATTACK! FOR THIS WE HAVE A SEPARATE DECISION.

The change did not keep MWI out of the spotlight altogether, though. In April, it was used in the elegant attack that used CareerBuilder as an innocent middle-man. Attackers browsed job listings on CareerBuilder, submitted "resumes" that were actually malicious documents infected with MWI droppers or downloaders. CareerBuilder would then send a notification email to the employer with that malicious document attached, and were highly likely to open it because it was coming from a source they trusted and contained content they had asked to receive.

Sophos found MWI distributing payloads from over 40 different malware families, including info-stealers, banking Trojans, and remote access Trojans. The most common were Zeus/Zbot (25%) and Carberp (18%), a Trojan backdoor that was popular with Carbanak, the infamous billion-dollllar international cybercrime ring.  

About the Author

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights