Microsoft Word Intruder, the tool that creates document based malware
The malware creation tool that can drop or download and then infect
MWI was advertised in the underground by an individual who goes by the handle Objekt. The malicious tool creates infected Rich Text Format (RTF) documents that exploit multiple vulnerabilities in MS Word to infect the victim’s computer.
The malware created by MWI can be of two types:
- Droppers – In this case, the malicious payload used by the infecting application is present locally. This means the infection process can take place offline as all the required components come in one package (the main malware component is extracted or dropped after execution).
- Downloaders – These only come with the URL of the malicious payload meaning that the infection process requires downloading additional stuff from the internet. Although this may seem like a more difficult infection process, it also means that a new and more dangerous malware can be downloaded whenever the threat is executed.
Droppers are more common but both these infections mechanisms are widely used.
MWI malware can be tracked by attackers and used to steal financial information
Since December 2014, MWI has also developed a special tracking feature known as MWISTAT which writes a distinct URL to the generated RTF files. This allows cyber criminals to keep track of their malware campaigns and the samples involved.
To avoid general user suspicion, The MWI malware also comes with a legitimate looking decoy document which hides the abnormal behavior (Word crashing or quitting) immediately after loading a file. The recent versions of this kit attempt to exploit four different vulnerabilities namely, CVE-2010-3333, CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761 with the 2010 and 2012 vulnerabilities being the most prevalent attack vector. It was also found that variants of Zbot or Zeus malware were the ones being predominantly used. This malware family is often used to steal important financial information and login credentials, sometimes with the use or ransomware like CryptoLocker.
It is clear that document based malware is being spread widely, especially with the help of spam emails. Thus a cautious approach towards attachments and up to date anti-malware protection is the key to keeping such rats out of your system.
Have a nice (malware-free) day!
Emsisoft Endpoint Protection: Award-Winning Security Made Simple
Experience effortless next-gen technology. Start Free Trial