EtterSilent, a malicious document builder, is gaining traction among cybercriminals on underground forums. Due to its increasing popularity, its authors are continuously improving it to bypass traditional security solutions. Additionally, cybercriminals are using it now more often to increase the success rate of their payload delivery.
What has happened?
Since mid-2020, several ads have been promoting EtterSilent maldoc builder on underground forums. The ads promote its features, such as bypassing Windows Defender, Windows AMSI, and popular email services.
The seller behind this maldoc builder offers weaponized Microsoft Office (versions 2007 to 2019) documents in two options: with an exploit for a known vulnerability or with malicious macro.
The macro variant is more popular because of the lower pricing and higher compatibility when compared to the exploit variant.
An EtterSilent maldoc embedded with macro code can mimic a DigiCert or DocuSign document that asks users to allow support for macros that download their payload in the background.
One of the leveraged vulnerabilities (tracked as CVE-2017-8570) is remote code execution vulnerability in Microsoft Office. Moreover, two other vulnerabilities (CVE-2017-11882 and CVE-2018-0802) were demonstrated by attackers in a video.
Recent use of the maldoc builder
In a recent campaign, the EtterSilent maldoc was used to drop an updated version of Trickbot. The gang used the same tactic in another campaign to infect systems with