Microsoft Word Intruder revealed: New SophosLabs research goes inside a malware creation kit

SophosLabsSophosLabs researcher Gabor Szappanos is at it again, with new research exploring and explaining the mechanics of a malware creation kit that was used in a series of campaigns between May and August 2015.

Gabor has been tracking the development of malware used in advanced persistent threat (APT) campaigns over the past couple of years, including PlugX and other document-based attacks.

This time, he cracks open the case of an intriguing malware construction kit available in underground cybercrime markets: Microsoft Word Intruder (MWI).

MWI, which you can tell from its name is used to create malware exploiting Microsoft Office documents, was developed in Russia but has been used widely by cybercrime groups.

As Gabor explains in his new paper, Microsoft Word Intruder Revealed, virus creation kits are not new: the first ones were created in the early 1990s. But the purpose of creating and publishing them has changed. Instead of making a countercultural statement, the goal now is to make money for the authors, who sell these malware generators to other cybercriminals in underground marketplaces.

The overall effect of the MWI kit, however, is the same as with the old DOS virus generators of the 1990s: it gives cybercrime groups immediate access to Office exploits for malware attacks, even if they lack the skills to develop exploits of their own.

According to Gabor, MWI had been used by numerous different malware groups, deploying Trojans from more than 40 different malware families.

There’s a lot of fascinating detail in Gabor’s paper, whether you’re a layperson interested in cybercrime, or a more technical reader. Gabor explains the history of malware creation kits, and how they work, and also dives into the infection mechanism of the MWI generator, pointing out the key characteristics differentiating these samples from other exploited malicious documents.

Download Gabor’s paper – Microsoft Word Intruder Revealed.

About SophosLabs

SophosLabs is the global network of threat centers staffed by Sophos researchers and analysts. Keep up to date with our latest industry-leading research, technical papers, and security advice at Naked Security and the Sophos Blog.

Sign up for our newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.