New ThreadKit exploit builder used to spread banking Trojan and RATs

A recently discovered Microsoft Office document exploit builder kit dubbed ThreadKit has been used to spread a variety of malware, including RATs and banking Trojans.

Security experts at Proofpoint recently discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking Trojans and RATs (i.e. TrickbotChthonicFormBook and Loki Bot).

The exploit kit was first discovered in October 2017, but according to the experts, crooks are using it at least since June 2017.

The ThreadKit builder kit shows similarities to Microsoft Word Intruder (MWI), it was initially being advertised in a forum post as a builder for weaponized decoy documents.

“In October 2017, Proofpoint researchers discovered a new Microsoft Office document exploit builder kit that featured a variety of recent exploits as well as a mechanism to report infection statistics.” reads the analysis published by ProofPoint. “While the documents produced by this kit exhibited some minor similarities to Microsoft Word Intruder (MWI), we determined that they were likely produced by a new exploit builder kit, which we started tracking as ThreadKit.”

Just after its appearance, documents created with the ThreadKit builder kit have been observed in several campaigns.

The decoy documents used in past campaigns performed an initial check-in to the command and control (C&C) server, a tactic also used by MWI.

The documents were triggering the CVE-2017-0199 vulnerability in Office to download and execute an HTA file that would then download the decoy and a malicious VB script to extract and run the embedded executable.

The last step of the infection sees the execution of the Smoke Loader, a small application used to download other malicious codes, in these specific attacks a banking malware.

Starting from October 2017, researchers observed the ThreadKit triggering the CVE 2017-8759 vulnerability.

“In October 2017, we started observing corresponding campaigns utilizing CVE-2017-8759. This version of ThreadKit employed a similar infection statistic initial C&C check-in and HTA to execute the embedded executable. Other changes were made to the way the exploit documents operate, in addition to integrating the new vulnerabilities.” continues the analysis.

Since November, ThreadKit integrated the code for the exploitation of the CVE 2017-11882, a 17-Year-Old flaw in MS Office exploited by remote attackers to install a malware without user interaction.

In the last weeks, the exploit kit included new exploits targeting vulnerabilities such as the CVE-2018-4878 Adobe Flash zero-day and several Microsoft office vulnerabilities (i.e. CVE-2018-0802 and CVE-2017-8570).

Proofpoint researchers observed numerous campaigns featuring ThreadKit-generated Office attachments packing exploits that were likely copied from PoC code available on a researcher’s GitHub repo.

“ThreadKit is a relatively new and popular document exploit builder kit that has been used in the wild since at least June, 2017, by a variety of actors carrying out both targeted and broad-based crimeware campaigns. This new document exploit builder kit makes the use of the latest Microsoft Office exploits accessible to even low-skilled malicious actors.” concluded Proofpoint.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase