Microsoft Office documents provide a great opportunity to deliver malware creations: most of the users consider these documents safe and open them without a sense of danger. We experienced a resurgence of document exploit delivered malware in the past couple of years and the Office exploit builders played an important role in this resurgence: they made exploitation available for the masses. What once was the realm of state sponsored groups now is a playground of cybercriminals.
In this presentation we will provide a general overview and feature comparison of the Office exploit generators, covering the major cybercrime tools.
The vast majority of the incidents were powered by one of the three major crimeware kits: Microsoft Word Intruder, Ancalog and AKBuilder. These three have very different development strategies.
Microsoft Word Intruder is a set of PHP scripts with highly customizable output. New exploits are added to the selection from time to time, the latest being the CVE-2016-7193 exploit.
Ancalog was developed in the Lazarus Free Pascal. It uses templates for several (but usually old) exploits, which gives a rigid structure that does not allow changes. The author is a Polish programmer with little experience in the malware underground, who quickly retired after the spotlight fell on Ancalog. His disappearance gave opportunity for the predators of the underground to distribute repackaged and trojanized versions of the kit.
AKBuilder is released as a Python script, with the generated RTF hardcoded as a data block in it – a structure that allows little variance in generated samples. There are multiple authors of this builder, most of them apparently stealing it from the primary developer and redistributing under their name. The initial exposure of the kit forced the author(s) to make substantial changes in the code.