Seller stipulates usage restrictions to buyers

Apr 3, 2015 14:58 GMT  ·  By
Tools menu option in MWISTAT panel allows searching for IP geo-location
3 photos
   Tools menu option in MWISTAT panel allows searching for IP geo-location

Authors of exploit kit Microsoft Word Intruder (MWI) released a web-based tool that offers cybercriminals better control of their operation and statistics.

Released in December 2014, the additional package for MWI is written in PHP. It is called MWISTATS and it can be installed on a server that receives requests from the victims.

Exploit kit advertised as APT tool

MWI is a builder that creates rogue Word documents by injecting exploit code for various vulnerabilities that affect MS Word versions 2003 through 2010.

Researchers at FireEye say that the latest version for MWI is 4.0 and includes exploits as old as 2010 and newer ones, identified in 2014. The list includes CVE-2010-3333, CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761 (which was used in targeted attacks).

The sellers of the exploit kit have advertised it on the forums since May 2013, but FireEye believes that a private version may have circulated before this date. They sell it for a price ranging between $2000 - $3500 (€1,800 / €3,180) only to those using it in targeted, APT-style attacks, forbidding its usage in spam campaigns.

“In fact, one of the conditions of the sale of the MWI builder is that the license can be revoked if MWI is used in spam campaigns,” a blog post from the researchers explains.

Increased control over the malicious campaign

MWISTAT provides details about the time the rigged Word document was opened and the malware downloaded. The IP address of the victim and the user-agent are also made available to the cybercriminals.

However, the functionality of the tool is not limited to statistics as it is also suitable for changing the malicious payload served to victims, each executable receiving an identification number. The download link is then appended to the documents. The payload ID allows the operator to track multiple campaigns.

All requests from the compromised computers are logged by the server giving the attacker a clear view of the affected IP addresses, the payloads requested and served.

Suspicious connections, which the malware author, an individual calling himself Objekt, explains as being associated with unwanted activity, such as that from antivirus companies or researchers.

One version of MWISTAT also provided information about the version of MS Word used to open the document.

Victims identified in a large number of countries

According to the researchers, MWI was used in spam campaigns, despite the restriction imposed by the seller. One operation lured the potential victim with promises of discounts for holiday shopping while another baited with messages regarding shipping information.

FireEye found that in the case of the first MWISTAT campaign the command and control (C&C) server recorded that 809 users from 43 countries had opened the malicious file, but only 144 downloaded the payload. Most of the victims are from Canada (41%), followed by Australia (31%) and the US (13%).

In the second operation, the logs covered the period between December 12, 2014 and January 6, 2015 and showed that 597 users opened the Word files and 180 of them infected their systems. Most of the victims were from Vietnam (18%), the US (12%) and China (9%).

“A wide variety of cybercriminals, even those with minimal technical capability, now have access to document exploits through the purchase of Document Exploit Kits such as ‘Microsoft Word Intruder’. Much like Browser Exploit Kits, these tools allow operators to track a variety of campaigns and information about their victims in order to improve their effectiveness,” FireEye warns.

Photo Gallery (3 Images)

Tools menu option in MWISTAT panel allows searching for IP geo-location
Geo-location of victims lured with product discounts messagesCountries with victims falling for the shipping info spam
Open gallery