Written by Shannon Vavra

Hackers are using a new, malleable malicious document builder to run their criminal schemes, according to Intel 471 research published Tuesday.

The document builder, known as EtterSilent, has been advertised in a Russian cybercrime forum and comes in two versions, according to the research. One exploits a vulnerability in Microsoft Office, CVE-2017-8570, and one uses a malicious macro.

One version of EtterSilent imitates the digital signature product DocuSign, though when targets click through to electronically sign documents, they are prompted to enable macros. This allows the attackers to target victims with malware.

EtterSilent also offers another benefit for criminals looking for the latest tools to run their schemes — the malicious document builder has been crafted to conceal the activities of its operators, and has been constantly updated in recent months to avoid detection, according to Intel 471.

The widespread use of EtterSilent shows how commoditization is a big part of the cybercrime economy,” the researchers note in a blog on the matter. “Different players specialize in their respective area, whether that be robust hosting, spam infrastructure, maldoc builders, or malware as a service, and find ways to leverage each other’s products in services by working together.”

Last month EtterSilent was used in a campaign that leveraged another tool, called Bazar loader, against targets, which can help attackers infect victims with other malware or ransomware, according to the research.

In another campaign that’s used EtterSilent, attackers dropped an updated version of Trickbot, a banking trojan that has been associated with ransomware infections. The attackers duped targets by sending emails purporting to contain invoices from a manufacturing company.

Other campaigns using banking trojans BokBot, Gozi ISFB and QBot have also used EtterSilent, Intel 471 notes.

The maldoc builder may be of interest to the U.S. government, which has been working to tamp down on infections run by Trickbot in recent months. Last year the Department of Defense’s Cyber Command, its offensive arm focused on disrupting hackers abroad, ran a campaign to disrupt Trickbot. The private sector also joined the action, with Microsoft and other private sector entities running a separate takedown of Trickbot.

But the botnet, a collection of zombie computers controlled by attackers, has continued to resurface despite their best efforts.