In the underground community and dark web, there is such a thing called Microsoft Word Intruder (MWI8) which is a framework that builds malicious Word documents. It has been recently advertised on the dark web as incorporating specific, recently discovered Flash vulnerabilities.
MWI8 is available on the dark web and crafts Microsoft Word-based exploits.
The MWI8 kit is designed to help create Microsoft Word documents for use in targeted attacks has been recently upgraded to support recently discovered vulnerabilities in Flash.
The latest version supports a wide scope of vulnerabilities that can be exploited by hackers via crafted Microsoft Word Documents.
Since 2013, cyber criminals and hackers have been using this kit which has evolved to its latest release until now. Computer security researchers only identified the threat last 2015.
July this year, an ad for the malware on a dark web site, stated that the exploit document builder integrated CVE-2016-4117 (Adobe Flash Player up to 188.8.131.52).
Version 8 of MWI was released last week of August with the message ‘MICROSOFT WORD INTRUDER 8 (MWI8): CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158′.
Payload or damaging code depends on whoever the intent of the coder. But it has been observed in the wild. For example, it saw it dropping RTM Banker on 21 October. In this case, the document “business project laveco price.doc.rtf” was delivered via email and targeted at retail, financial and manufacturing verticals.
Security firm FireEye and Kaspersky have said that even the Adobe Flash Player zero-day CVE-2016-4117 itself vulnerability has been explited and integrated into multiple exploit kits.
“When the MWI CVE-2016-4117 was analyzed, it appears that this exploit document builder reused the original exploit code without modifying anything except the shellcode. The first Flash file would decrypt a second Flash file, which triggers the vulnerability,” said Proofpoint.
Attackers, cyber-criminals and even state-sponsored hackers use Microsoft Office malware used to target a small number of people or organizations.
Software like MWI8 is one method to try and exploit specific companies for financial, intellectual or intelligence gain.
It is not just the small companies they are after. Enterprise users depend more on Microsoft Office products and would likely be a high-value target. HR, IT, Officers or people in finance would be targeted to gain access, information and resources.
We cannot stress enough that it is important to keep software up to date specially their security patches and fixes. Another thing is to disable macros in Microsoft Office.
Programs like The Microsoft EMET toolkit can be used to make it more difficult for attackers to gain code execution through vulnerabilities such as those offered from MWI.
Use common sense. Do not open Microsoft Word documents from unknown sources or senders. If in doubt, you can use VirusTotal and make sure Word is configured with restrictive settings.
If you are tech savvy, you can sandbox document viewing through a cloud infrastructure or within a virtual machine. Nonetheless, think before you click.