Safeguarding Against Evolving Exploit Kits
Exploit kits are a form of malicious toolkit that exploit security holes, known as vulnerabilities, in order to infect the user with malware.
Malware authors have been using Microsoft Office document exploits for several years, however their focus has recently shifted to document malware. Some examples include the Microsoft Word Intruder and Ancalog Builder which spread malware onto computers using booby-trapped Word files. AK Builder, the latest addition to the exploit kit family, generates malicious Word documents in Rich Text. AK Builder uses exploits to deliberately corrupt files that automatically trigger bugs in Office and underlying bugs in Windows.
In a recent research conducted by SophosLabs, it was found that there are two variations of the AK Builder which are differentiated by the Office vulnerabilities they target. SophosLabs identified that AK-1 was most active between the middle of 2015 and 2016, generating about 760 malicious documents, which were used to distribute more than 50 different malware families. The emergence of its successor AK-2 seemed to spell the end of the kit’s lifespan. By the summer of 2016, it seemed extinct.
Why is the AK Builder successful?
As the AK Builder is coded in a simple Python script, it is easy to steal the builder to start a new “development branch”, which means although an individual developed the malware, other attackers can simply access the code, modify it and release their own versions.
AK Builder is also advertised in YouTube videos and sold in underground forums at merely $550 per kit. The sheer affordability and availability of black market tools make it possible for criminals to gain access to the AK Builder to generate exploited documents.
Additionally, unlike the Microsoft Word Intruder and the Ancalog builder, the AK Builder has always supported encrypted decoys. This is an important feature in successful attacks as displaying decoy content can help hide malicious activities in the background. It is also less suspicious if this content is displayed after the victim opens what he thinks is a Word document.
How to defend against the AK Builder?
Enterprises can adopt a multi-pronged approach with these recommended steps:
- Patch promptly as the booby-trapped Office documents generated by exploit kits, attack security holes that were patched years ago.
- Beware of unsolicited attachments, and only open documents from known senders
- Remove or disable privileged accounts in the system, and only install applications from known publishers
- Consider using a stripped-down document viewer.For example, Microsoft’s Word Viewer is usually less vulnerable than Word itself, especially since it doesn’t support macros.
Wana Tun is regional technical evangelist at Sophos