MWI8 framework builds malicious Word documents and was recently advertised on the dark web as incorporating specific, recently discovered Flash vulnerabilities.
A kit designed to help create Microsoft Word documents for use in targeted attacks has been upgraded to support recently discovered vulnerabilities in Flash.
According to a blog post by Proofpoint, the recent iteration of MWI – Version 8 – supports a wide variety of vulnerabilities that hackers can exploit via crafted Microsoft Word documents.
The kit has been available to criminals since 2013 but it wasn’t until 2015 when security companies finally identified it.
The firm said that in July this year, an ad for the malware on a dark web site, stated that the exploit document builder integrated CVE-2016-4117 (Adobe Flash Player up to 184.108.40.206).
“At the end of August, MWI incremented to version 8, with the message ‘MICROSOFT WORD INTRUDER 8 (MWI8): CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158′ in an advertisement for the new version,” said the firm.
It said the updated version was observed in the wild dropping various payloads. For example, it saw it dropping RTM Banker on 21 October. In this case, the document “business project laveco price.doc.rtf” was delivered via email and targeted at retail, financial and manufacturing verticals.
The Adobe Flash Player zero-day CVE-2016-4117 itself was discovered by FireEye and was first used by an APT actor named “ScarCruft”, as described by Kaspersky. The exploit was later integrated into multiple exploits kits.
“When we examined the MWI CVE-2016-4117 addition, it appears that this exploit document builder reused the original exploit code without modifying anything except the shellcode. The first Flash file decrypts a second Flash file, which triggers the vulnerability,” said Proofpoint.
This article originally appeared at scmagazineuk.com