MWI8 is available on the dark web and crafts Microsoft Word-based exploits
MWI8 is available on the dark web and crafts Microsoft Word-based exploits

A kit designed to help create  Microsoft Word documents for use in targeted attacks has been upgraded to support recently discovered vulnerabilities in Flash.

According to a blog post by Proofpoint, the recent iteration of MWI – Version 8 – supports a wide variety of vulnerabilities that hackers can exploit via crafted Microsoft Word documents.

The kit has been available to criminals since 2013 but it wasn't until 2015 when security companies finally identified it.

The firm said that in July this year, an ad for the malware on a dark web site, stated that the  exploit document builder integrated CVE-2016-4117 (Adobe Flash Player up to 21.0.0.213).

“At the end of August, MWI incremented to version 8, with the message ‘MICROSOFT WORD INTRUDER 8 (MWI8): CVE-2016-4117 + CVE-2015-2545 + CVE-2015-1641 + CVE-2012-0158' in an advertisement for the new version,” said the firm.

It said the updated version was observed in the wild dropping various payloads. For example, it saw it dropping RTM Banker on 21 October. In this case, the document “business project laveco price.doc.rtf” was delivered via email and targeted at retail, financial and manufacturing verticals.

The Adobe Flash Player zero-day CVE-2016-4117 itself was discovered by FireEye and was first used by an APT actor named “ScarCruft”, as described by Kaspersky. The exploit was later integrated into multiple exploits kits.

“When we examined the MWI CVE-2016-4117 addition, it appears that this exploit document builder reused the original exploit code without modifying anything except the shellcode. The first Flash file decrypts a second Flash file, which triggers the vulnerability,” said Proofpoint.

Orlando Scott-Cowley, an independent cyber-security consultant, told SCMagazineUK.com that these attacks are used to target a small number of people or organisations.

“Attackers, usually cyber-criminals, use Microsoft Office malware built with kits like MWI as means to try and exploit specific companies for financial, intellectual or intelligence gain, very much in the same way state-sponsored hackers do,” he said.

“The likely victims will be enterprise or corporate employees, the heavy users of Microsoft Office applications and, more specifically, high-value enterprise targets such as individuals in the finance, HR or IT teams due to the types of information and resources they have access to.”

Craig Young, security researcher at Tripwire, told SC that it is important to keep Office, Flash, Windows and other software up to date with the latest security fixes and to disable macros in Office. 

“The Microsoft EMET tool can also make it more difficult for attackers to gain code execution through vulnerabilities such as those offered from MWI,” he said.

He warned that users should not open Word documents that aren't from trusted sources.  “If a document must come from an untrusted source, consider using VirusTotal and make sure Word is configured with restrictive settings.  It may be advisable to sandbox document viewing through a cloud infrastructure or within a virtual machine.”