{ "Event": { "analysis": "0", "date": "2016-11-07", "extends_uuid": "", "info": "OSINT - Microsoft Word Intruder 8 Adds Support for Flash Vulnerability CVE-2016-4117", "publish_timestamp": "1479193466", "published": true, "threat_level_id": "3", "timestamp": "1479193333", "uuid": "582ab1cc-31a4-48f2-a0a1-4966950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#360044", "local": "0", "name": "ms-caro-malware:malware-type=\"Exploit\"", "relationship_type": "" }, { "colour": "#3ab400", "local": "0", "name": "enisa:nefarious-activity-abuse=\"exploits-exploit-kits\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479193054", "to_ids": false, "type": "comment", "uuid": "582ab1de-24d4-49bc-b75e-4aee950d210f", "value": "Microsoft Word Intruder (MWI) is a kit designed for building malicious Microsoft Word documents for use in targeted attacks. The most recent iteration of MWI - Version 8 - supports a wide variety of vulnerabilities that actors can exploit via crafted Microsoft Word documents. Available on underground markets since 2013, we first identified MWI in March 2015 [1]. FireEye [2] and Sophos [3] provided additional documentation of the kit later that year.\r\n\r\nIn the mid-July 2016, an advertisement for MWI on an underground site stated that this exploit document builder integrated CVE-2016-4117 (Adobe Flash Player up to 21.0.0.213). At the end of August, MWI incremented to version 8, with the message \u00e2\u20ac\u0153MICROSOFT WORD INTRUDER 8 (MWI8): CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158\u00e2\u20ac\u009d in an advertisement for the new version (see Appendix).\r\n\r\nWe were able to observe this updated version in the wild dropping various payloads; for example, we saw it dropping RTM Banker on October 21. In this case, the document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009d was delivered via email and targeted at retail, financial, and manufacturing verticals." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479193068", "to_ids": false, "type": "link", "uuid": "582ab1ec-2cac-44d1-a284-4fa9950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-8-adds-support-for-flash-vulnerability" }, { "category": "Payload delivery", "comment": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker", "deleted": false, "disable_correlation": false, "timestamp": "1479193108", "to_ids": true, "type": "sha256", "uuid": "582ab214-96fc-4872-a0d4-4571950d210f", "value": "a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c" }, { "category": "Payload delivery", "comment": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT", "deleted": false, "disable_correlation": false, "timestamp": "1479193109", "to_ids": true, "type": "sha256", "uuid": "582ab215-1988-4420-8ee4-4a91950d210f", "value": "fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9" }, { "category": "Network activity", "comment": "MWI8 C2", "deleted": false, "disable_correlation": false, "timestamp": "1479193149", "to_ids": true, "type": "domain", "uuid": "582ab23d-ee90-448e-94af-4c7b950d210f", "value": "bibi.pro" }, { "category": "Network activity", "comment": "RTM C2", "deleted": false, "disable_correlation": false, "timestamp": "1479193150", "to_ids": true, "type": "ip-dst", "uuid": "582ab23e-0b44-4061-a5a7-4a22950d210f", "value": "188.138.71.117" }, { "category": "Network activity", "comment": "MWI8 C2", "deleted": false, "disable_correlation": false, "timestamp": "1479193216", "to_ids": true, "type": "ip-dst", "uuid": "582ab280-d74c-4b25-9ba9-488d950d210f", "value": "82.146.37.202" }, { "category": "Network activity", "comment": "MWI8 C2", "deleted": false, "disable_correlation": false, "timestamp": "1479193216", "to_ids": true, "type": "hostname", "uuid": "582ab280-a654-4b43-8965-46e0950d210f", "value": "pink.publicvm.com" }, { "category": "Network activity", "comment": "MWI8 C2", "deleted": false, "disable_correlation": false, "timestamp": "1479193216", "to_ids": true, "type": "ip-dst", "uuid": "582ab280-93d0-4e65-9a53-4c44950d210f", "value": "5.45.80.32" }, { "category": "Network activity", "comment": "MWI8 C2", "deleted": false, "disable_correlation": false, "timestamp": "1479193266", "to_ids": true, "type": "domain", "uuid": "582ab2b2-f1ec-4afd-a1fe-4bab950d210f", "value": "take5market.com" }, { "category": "Payload delivery", "comment": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT - Xchecked via VT: fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9", "deleted": false, "disable_correlation": false, "timestamp": "1479193314", "to_ids": true, "type": "sha1", "uuid": "582ab2e2-7224-44bb-bde5-45c702de0b81", "value": "bbb813b77ecd9c96744a8766f458643a25c29e6c" }, { "category": "Payload delivery", "comment": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT - Xchecked via VT: fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9", "deleted": false, "disable_correlation": false, "timestamp": "1479193314", "to_ids": true, "type": "md5", "uuid": "582ab2e2-04d8-4350-9034-47f202de0b81", "value": "3faf65de1d15e606f76e5cd0a7739099" }, { "category": "External analysis", "comment": "MWI8 document \u00e2\u20ac\u0153\u00d0\u02dc\u00d0\u00b7\u00d0\u00bc\u00d0\u00b5\u00d0\u00bd\u00d0\u00b5\u00d0\u00bd\u00d0\u00b8\u00d1\u008f \u00d1\u0192\u00d1\u0081\u00d0\u00bb\u00d0\u00be\u00d0\u00b2\u00d0\u00b8\u00d0\u00b9 \u00d0\u00b2\u00d0\u00b7\u00d0\u00b0\u00d0\u00b8\u00d0\u00bc\u00d0\u00be\u00d0\u00b4\u00d0\u00b5\u00d0\u00b9\u00d1\u0081\u00d1\u201a\u00d0\u00b2\u00d0\u00b8\u00d1\u008f.doc\u00e2\u20ac\u009d dropping a TeamViewer-based RAT - Xchecked via VT: fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9", "deleted": false, "disable_correlation": false, "timestamp": "1479193314", "to_ids": false, "type": "link", "uuid": "582ab2e2-ac44-4d94-b15a-49fa02de0b81", "value": "https://www.virustotal.com/file/fe41a918e38abe4de2108357c8a7ab87658abf68a457e59473052443038638d9/analysis/1476772587/" }, { "category": "Payload delivery", "comment": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker - Xchecked via VT: a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c", "deleted": false, "disable_correlation": false, "timestamp": "1479193314", "to_ids": true, "type": "sha1", "uuid": "582ab2e2-d8f4-4280-a6b7-496902de0b81", "value": "497c0ac63e9b4a7e728bba270aa4fcd0149ae968" }, { "category": "Payload delivery", "comment": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker - Xchecked via VT: a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c", "deleted": false, "disable_correlation": false, "timestamp": "1479193314", "to_ids": true, "type": "md5", "uuid": "582ab2e2-f818-40da-baa0-4cec02de0b81", "value": "138b7ca6bd6a0e268dd847c04b84995a" }, { "category": "External analysis", "comment": "MWI8 document \u00e2\u20ac\u0153business project laveco price.doc.rtf\u00e2\u20ac\u009ddropping RTM Banker - Xchecked via VT: a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c", "deleted": false, "disable_correlation": false, "timestamp": "1479193315", "to_ids": false, "type": "link", "uuid": "582ab2e3-dcb8-41a5-a5c6-434802de0b81", "value": "https://www.virustotal.com/file/a02b009929079af6b3ebe26305765aa469c41f703b3836b170ee16bc6b43223c/analysis/1478789049/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479193333", "to_ids": false, "type": "vulnerability", "uuid": "582ab2f5-a354-4ca8-981e-49c1950d210f", "value": "CVE-2016-4117" } ] } }