Xty file crypter8/31/2023 ![]() The builder supports a wide selection of Microsoft Office exploits, from the archaic CVE-2010-3333 to the recent CVE-2017-11882 Equation Editor exploit: The extensive list of supported exploits The license for this kit can be purchased via the main distribution web page for $199 per month, which positions it in the league of the most expensive builders in the market. This additional functionality provided the means to deliver the protected executable by various methods, including Microsoft Office exploits. It originated as a PE cryptor, but later on additional functionality was integrated into it. Until we ran into a black-market tool called The Old Phantom Crypter – then we realized that this is the mysterious kit that generates all these documents. The Old Phantom Crypterįor the past 11 months, we have seen an increasing flow of documents generated by EQN_Kit2, but we hadn’t been able to identify the source behind it. This kit generated samples with very distinguishing characteristics and has been very actively used (and updated) ever since. We had previously designated one of the most prevalent kits EQN_Kit2, because we didn’t know its “street name.” Now we know that this kit calls itself The Old Phantom Crypter. Exploit builders used in attacks in 2018 Q3 ![]() We had observed that, as last year came to a close, maldocs created by the top 4 exploit builders were responsible for over 75% of all malspam attacks. Our research paper details the characteristics of this kit and the malicious documents created with it. ![]() The old, established, dominant “brands” of maldoc builder tools (like Microsoft Word Intruder, Ancalog and AKBuilder) were abandoned, and these previously-dominant builders have been completely wiped out of the ecosystem. One of the most prominent newcomers is The Old Phantom Crypter. The most recent updates to these builders revealed a drastic change: The makers of these builders replaced both the old exploits - and the old exploit builders themselves - with next-generation offerings. Studying these builders often reveals trends that victims are likely to see in the malspam they receive. These maldocs are created by criminals who use tools called “builders” that automate the process of embedding any of an a-la carte menu of exploits into the maldocs. Office Exploit Builder demonstrates how easy it is to successfully build a malicious file which will perform a classic social attack and stay persistent against new security products.We regularly publish reports about the malicious Microsoft Office documents that are used in attacks. Upon clicking “enable content”, the malicious code executes.Ĭhecking the document in virus total shows an impressive 11/55 detection ratio, making most AV vendors and security companies inefficient to this threat at the moment. Once the attachment is opened, a security warning is shown if macros are disabled on the victim’s machine. The victim receives the email, with the seemingly benign Word document or Excel file attached. The infection process includes delivery of the document created by the attacker, usually by email. So each char is now replaced with its previous char in the ASCII table. Convert back to ASCII char with the value – 1.The URL that holds the location of the binary and name of the file to be saved on the machine are obfuscated using additional function that deobfuscated the string (Function name “ dSytusxipwMnnCsvnMpTRzoIz“ in the above code and “ DecodePayload” in the below readable code). The macro as seen in the picture above obfuscates the function names and variables with random strings, alias names for common file download and execution function in order to avoid detection. The obfuscated macro code remains undetected by most antivirus products. ![]() The builder also provides a decoy option which add text to the document as the “legitimate” purpose of the document.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |