EtterSilent and the Bazar Malware

On March 19, 2021, EtterSilent, a malicious document builder began making its rounds through the innerwebs masquerading itself as a software called DocuSign. It can be issued as a Bazar Loader campaign that used an Excel spreadsheet named DocuSign and not a DocuSign template. Once the malicious document downloads the payload, it will connect to another URL that will then download Bazar, therefore, creating a backdoor within the target’s network. It is so stealth that it changes to avoid detection. EtterSilent has also been used for numerous other attacks like spamming campaigns.

EtterSilent can bypass anti-spyware programs such as, Windows Defender, Windows anti-malware scan interfaces, and some email services. The attacker can update the malicious document on an as needed basis. In the case with the DocuSign issue, a Microsoft or Excel document disguised as DocuSign is sent to the target. Once the target opens the document and enables macros, the Excel macros 4.0 that is stored in a hidden sheet, grants access for the external payload to be downloaded and written onto the disk of the PC which executes commands such as regsvr32 or rundll32. If the payloads are executed on the PC, the attacker can drop other malware into the PC. EtterSilent has exploited three different vulnerabilities in Microsoft Office:

· CVE-2017–11882- (Memory corruption vulnerability) Remote code execution vulnerability occurs when software fails to properly handle objects in memory. An attacker can run code if the user has administrative rights and take control of the system.

· CVE-2017–8570- (Remote code execution vulnerability) An attacker can send a special file to the system and the attacker can pose as the user or administrator of the system to gain access.

· CVE-2018–0802- (Memory corruption vulnerability) An attacker can run code on behalf of the target. If the target has administrative rights, the attacker can take control of the system that is affected. The fewer the user rights on a system are less impacted.

The first and the third vulnerabilities mirror each other.

There is not much remediation that can be done, due to the complexity of EtterSilent and its ability to update. The only suggestion that appears to be solid is to not enable macros. Also ensure that all patches are installed, and software is updated. Organizations should educate themselves and staff on cyber security awareness.

Upon request, the Maryville Cyber Fusion Center can perform a security audit, determining if you are vulnerable to this. Please reach out to cyber@maryville.edu if you have any questions or concerns relating to this vulnerability.