Intel471 researchers have identified a new malicious document builder dubbed EtterSilent which could create maldocs mimicking Docusign files.
EtterSilent could also exploit an old remote code execution vulnerability in Microsoft Office.
According to Intel471, EtterSIlent was advertised on Russian online cybercriminal forums in June 2020 but has seen mass use in Trickbot and BazarLoader campaigns as well as banking trojans like BokBok, Gozi ISFB, and QBot.
EtterSilent exploits the digital signature function of DocuSign by tricking victims to enable macros to activate embedded malware.
Since DocuSign is commonly used in enterprise environments most victims are unwary when seeing such notifications in their inboxes.
“There has been a steady rise recently and it has been persistent and is gaining notoriety now. It is quite cheap for a builder, at just a few dollars per build, and I think that combined with the fact that the authors spent considerable time on obfuscation is making it quite popular,” said Brandon Hoffman, CISO at Intel 471.
During a recent banking attack utilizing trickbot, EtterSilent was used to make maldocs that pretended to contain invoices from a manufacturing company.
Hoffman said EtterSilent became popular because it costs around $9 and that it had sophisticated obfuscation capabilities.