When worlds collide - the story of the Office exploit builders

Friday 6 October 10:00 - 10:30, Green room

Gabor Szappanos (Sophos)

Microsoft Office documents provide a great opportunity to deliver malware creations: most users consider these documents safe, and open them without a sense of danger, especially if there are no macros in them. The recent resurgence of document exploit delivered malware was powered by the Office exploit builders: they made exploitation available for the masses. What once was the realm of state-sponsored groups is now a playground for cybercriminals.

This presentation will provide a general overview and feature comparison of the Office exploit generators, covering both the major cybercrime and APT tools. We will provide data about the relative prevalence of the exploit kits. It turns out that the vast majority of incidents have been powered by one of the three major crimeware kits: Microsoft Word Intruder, Ancalog and AKBuilder. These three have very different development strategies. Microsoft Word Intruder is a set of PHP scripts with customizable output. New exploits are added to the selection from time to time, the latest being the CVE-2016-4117 Flash exploit. Ancalog was developed in the Lazarus Free Pascal. It uses templates for several (usually old) exploits, which gives a rigid structure that does not allow for changes. The author is a Polish programmer with little experience in the malware underground, who quickly retired after the spotlight fell on Ancalog. However, his disappearance created the opportunity for the predators of the underground to distribute repackaged and trojanized versions of the kit. AKBuilder is released as a Python script, with the generated RTF hard coded as a data block within it – a structure that allows little variance in generated samples. There are multiple authors of this builder, most of them apparently stealing it from the primary developer and redistributing under their name. The initial exposure of the kit forced the author(s) to make substantial changes in the code.

The APT and cybercrime worlds traditionally use different tools and distribute different malware families. The information flow is usually strictly one directional: the cybercrime groups snatch ideas and exploits from the APT groups. But there have been a handful of cases when the direction was just the opposite, and the presentation will cover the more interesting ones. 



Gabor Szappanos

Gabor Szappanos graduated from the Eotvos Lorand University of Budapest with a degree in physics. His first job was in the Computer and Automation Research Institute, developing diagnostic software and hardware for nuclear power plants.

He started anti-virus work in 1995, and has been developing freeware anti-virus solutions in his spare time. In 2001, he joined VirusBuster, where he was responsible for taking care of macro viruses and script malware. In 2002, he became the head of the VirusBuster virus lab. In 2012, he joined Sophos as a principal malware researcher.

Between 2008 and 2016, Gabor was a member of the board of directors of AMTSO (the Anti-Malware Testing Standards Organization).














Other VB2017 papers

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

XAgent: APT28 cyber espionage on macOS

Tiberius Axinte (Bitdefender)

This paper provides an in-depth analysis of the macOS version of the APT28 component known as XAgent. We will dissect the…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…