Method: Windows Malware – ThreatKit

March 25th – Researchers at Proofpoint have discovered a new type of exploit kit, called ThreatKit, that allows attackers to craft malicious Office Documents and attempt to exploit CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802. The Word Document comes with an embedded executable that is decoded as a result of successful exploitation of the system. In some instances with successful exploitation, once the embedded executable is extracted, a separate decoy document is opened. The message of the decoy documents that were provided by Proofpoint contained the following text:

“Microsoft Word has encountered a problem and needs to close. We are sorry for the inconvenience.”

The spam campaigns tracked by Proofpoint that use this exploit kit result in various forms of banking malware being installed on the system.

Technical analysis of campaign – https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware

Proficio Threat Intelligence Recommendations:

  • Validate the proper Microsoft Office patches have been applied by checking the Microsoft Tech Center for advisories around CVE-2017-8570 , CVE-2017-11882 , and CVE-2018-0802.
  • EDR products such as CarbonBlack look for abuse of the various components used in this campaign such as abnormal use of MSHTA. Validate your endpoint solution can detect and prevent the activity in this article.

Recent Blog Posts

Stay Ahead of Evolving Threats

Sign up for our free newsletter and receive invaluable threat notifications from our Threat Intelligence team.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.

REQUEST A DEMO

Experience Tomorrow’s
Security Today

Request a Demo and Experience Proficio's
Innovative Solutions in Action.

By submitting this form, you agree to the Proficio Website Terms of Use and the Proficio Privacy Policy.