The cybercrime underground often mimics behaviors that we see in everyday facets of life. Intel 471’s latest discovery is an example of one of these patterns: when a product takes off in the marketplace, users will rush to obtain it and find unique ways to use it in order to fit their needs.

The latest “product” is a malicious document builder, known in the underground as “EtterSilent,” that Intel 471 has seen leveraged by various cybercrime groups. As it has grown in popularity, it has constantly been updated in order to avoid detection. Used in conjunction with other forms of malware, it’s a prime example of how ease of use and a concentration of skill sets leads to a commoditization of the cybercrime economy.

How it works

First advertised on a well-known Russian cybercrime forum, the seller offered two types of weaponized Microsoft Office documents (maldocs) to users: one that exploits a known vulnerability in Microsoft Office (CVE-2017-8570) and another that uses a malicious macro. To our knowledge, the maldoc with the macro is the more popular choice, possibly due to lower pricing and higher compatibility when compared to the exploit.

The malicious document, when opened, shows a template that poses as DocuSign, the popular software that allows individuals and organizations to electronically sign documents. The maldoc then leverages Excel 4.0 macros stored in a hidden sheet, which allow an externally-hosted payload to be downloaded, written to disk and executed using regsvr32 or rundll32. From there, attackers can follow up and drop other assorted malware.

EtterSilent DocuSign template from December 2020
EtterSilent DocuSign template from March 2021

A cybercrime extravaganza

Ettersilent is being used in many malware campaigns, many of which will be familiar to most cybersecurity experts.

It was used in a recent spam campaign to drop an updated version of Trickbot. The maldoc was attached in an email that pretended to be from a well-known multinational appliance manufacturer, claiming to be a payment invoice.

On March 19, 2021, EtterSilent was used as part of a Bazar loader campaign. The analyzed maldoc did not use a DocuSign template, but the main Excel sheet was named “DocuSign®.” The maldoc downloads the Bazar payload, which in turn connects to another URL that downloads the related Bazar backdoor.

Everyone needs hosting

Three banking trojans — BokBot, Gozi ISFB and QBot —have also used EtterSilent in conjunction with their schemes. However, what makes these campaigns stand out is their reliance on bulletproof hosting, which is needed to stand up their schemes. All three campaigns use services run by Yalishanda, one of the world’s most notorious BPH providers.

Intel 471 tracked a particular campaign tied to BokBot that had numerous distribution URLs embedded in the EtterSilent maldocs. As of the time this blog was published, all of those domains resolved to one particular IP address. That address is tied to bulletproof infrastructure provided by Yalishanda. The usage of Yalishanda’s BPH service specifically for the delivery URL is reminiscent of years worth of Hancitor campaigns observed by Intel 471.

We have written extensively how bulletproof hosting works hand-in-glove with cybercrime for decades, supplying criminals with the infrastructure they need to carry out their crimes. EtterSilent’s attachment to Yalishanda is another example of that notion.

A piece in a bigger puzzle

The widespread use of EtterSilent shows how commoditization is a big part of the cybercrime economy. Different players specialize in their respective area, whether that be robust hosting, spam infrastructure, maldoc builders, or malware as a service, and find ways to leverage each other’s products in services by working together. A better understanding of not only the malware being used, but how the cybercrime economy works and who the major players are, helps defenders focus on the threats most relevant to our organizations.

Appendix 1 - Indicators of compromise

DescriptionValue
Trickbot payload9118198afca6e2479fdbcca55a08a4408570d2186a7dd8f261f1821178deb595
Trickbot distribution URLhttp://costacars[.]es/ico/ortodox.php
EtterSilent maldoc50fd4b2e51908a55f2c891fb3ffde2c3661e4324c1887e65fabfb1a93a41efb2
IcedID payload8e51ccc6c8d14f0365d2d597c8aaf6015238839c0dab90e419107782bf460414
IcedID distribution URLhttp://188[.]127.254.114/44270.7082388889.dat
EtterSilent maldoc2baf563da8db9e2ed765fa7697025d277d06ee53424f6513671f2f6b7441387b
QBot payload24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44
Qbot distribution URL
EtterSilent maldoc16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12
Ursnif payloadd5b05a81f377c33a2fba292002d0474b68483225aa09c97a00336fc368383d6a
Ursnif distribution URL
EtterSilent maldoc267a54f074b688d591d5cfb7831f1adb443ec1441076775cb158bed0d385f712
Bazar payloadb7ce29ffbdf00771b539b28ce01d57cd5805ca3a6ca2eb1b694eed4466912286
Bazar distribution URLhttp://itelsys[.]ma/prod/education.php
EtterSilent maldoc5f8e3b19cd4d25ac396cf64f6f448d88e301cf899142bdb03a28cec42eb71389
Qbot payload6a984d3aaffeeec32f3803489c71bfd907e2fb74dbc8eeb931c084f11293e1cc
Qbot distribution URLhttp://pokojewewladyslawowie[.]pl/orlpzhiy/44270.5684626157.dat
EtterSilent maldoc3a5d67bdc42b7a9ebd1137e49a34d82c0ee99343ae32f3367137db19131c2cf4
Trickbot payloadaa40f9dd1212993f79cc23111de3a8dd5e529dd1a8ca5dceaa30fba53f6f96b4
Trickbot distribution URLhttp://mineiro[.]ch/casrtnoar/count.php
EtterSilent maldoc9b1c03b0cca23a94f2d6988c66eb0d246ec2648623765e83dbf20548ac874837
Ursnif payload1c65c1a53f1cf5372bb35b5af5130e966b4bb7e7941cc1460f28628249ce5189
Ursnif distribution URL
EtterSilent maldoc2a3316b69ec787ca13a3e35697bcfc4a5e37a9a3080434c56fdf17e0593e0a12