The Four Element Sword, weaponized document builder used in APT Attacks

Experts analyzed a dozen attacks that leveraged on malicious RTF documents created using the same Four Element Sword builder.

Security experts at Arbor Networks’ Security Engineering and Response Team (ASERT) have spotted a tool used in advanced persistent threat (APT) attacks against organizations in East Asia.

The researchers have analyzed a dozen attacks that leveraged on malicious Rich Text File (RTF) documents that were all created using the same builder which it has dubbed ‘Four Element Sword.’

The experts also collected evidence that the hacking campaigns leveraging malicious RTF documents are still active.

All the attacks belong to long-running hacking campaigns operated by APTs, threat actors targeted Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.

The threat actors used popular RATs to compromise victim’s machines, including PlugXGh0stRATT9000Kivars, Graber and Agent.XST.

The malware spreads via spear-phishing emails that came with malicious RTF documents in attachment. All the documents analyzed by Arbor Networks included code to exploit 2-4 vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641, CVE-2015-1770), the experts believe they were created by using the same builder.


The flaws CVE-2012-0158 and CVE-2012-1856 were first discovered in 2010 and fixed in 2012 by Microsoft. The flaws CVE-2015-1641 and CVE-2015-1770 were patched only last year.

“The Four Element Sword builder has been observed to utilize exploit code against four distinct vulnerabilities. Each malicious document created by the builder appears to leverage three or four of these vulnerabilities in the same RTF document, given a .DOC extension.” states the analysis published by Arbor Networks “Some targets may warrant the use of newer exploit code, while others running on dated equipment and operating systems may still fall victim to the older exploits.”

The nature of the targets and the techniques, tactics and procedures adopted by the threat actors lead the experts into belief the involvement of Chinese hackers.

The researchers at Arbor Networks also discovered that the Four Element Sword builder has been used by cyber criminal gangs in the wild, the details of these operations will be provided in future reports.

Pierluigi Paganini

April 21, 2016

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

11th Anniversary Exclusive Top Global CISO Conference & Innovators Showcase - October - 2023