Document exploitation is a well-known method of distributing malware in the malware community. A common theory for why crooks use booby-trapped documents is that victims can be more easily convinced to open document attachments than executables.
Word, Excel and PDF documents that contain so-called exploits – active booby-traps – have the added trick of not requiring their victims to manually enable macros, as is often the case for VBA downloaders.
The latest technical paper from SophosLabs explores why we’re seeing more document exploitation malware in the wild, and investigates the long-standing popularity of a document exploitation generator called Ancalog, which is widely commercially available.
It’s especially interesting to note that many of the vulnerabilities exploited by Ancalog were patched several years ago, often yielding poor results for the attackers. Nevertheless, the ease with which booby-trapped documents can be created with the Ancalog kit has made it the attack tool of choice for many cybercriminal organizations in Russia and Nigeria targeting Asian and African nations.
These cybercrime groups have been using this method steadily over the past two years, and there is no sign that they intend to give up. The ready availability of exploit creation tools in the cyber-underground has opened up document exploitation to a wide range of criminals, and Ancalog is the most popular of these tools nowadays.
Of course, the dependence of criminals on commercial tools like Ancalog that rely on old exploits is a disadvantage for the crooks and an advantage to the defenders. Ancalog doesn’t use zero-day exploits or even exploits that could be considered as new. Even the freshest exploit in its arsenal was fixed over a year ago, with the most commonly used security holes being from 2010 and 2012.
In other words, just applying current patches for Microsoft Office should disarm Ancalog attacks.
Read this new Sophos technical paper to gain a deeper understanding of Ancalog and how it is used by cybercriminals to deploy document exploitation attacks.