At the end of March, security experts at Proofpoint discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking Trojans and RATs (i.e. Trickbot, Chthonic, FormBook and Loki Bot).
The exploit kit was first discovered in October 2017, but according to the experts, crooks are using it at least since June 2017.
The ThreadKit builder kit shows similarities to Microsoft Word Intruder (MWI), it was initially being advertised in a forum post as a builder for weaponized decoy documents.
Just after its appearance, documents created with the ThreadKit builder kit have been observed in several campaigns.
Now threat actors are using the ThreadKit builder kit to target the recently patched CVE-2018-4878 Flash vulnerability, experts started observing exploit code samples in the wild a few days ago.
The vulnerability could be exploited by an attack by tricking victims into opening a document, web page or email containing a specially crafted Flash file.
According to the researcher Simon Choi the Flash Player flaw has been exploited by North Korea since mid-November 2017. The attackers exploited the zero-day vulnerability in attacks aimed at South Korean individuals involved in research activity on North Korea.
Now the exploit was included in the ThreadKit builder, based on Virus Total hashes posted to Pastebin.
The security expert Claes Splett has published a video that shows how to build a CVE-2018-478 exploit in ThreadKit.
Proofpoint experts reported that in the last weeks, the exploit kit included new exploits targeting vulnerabilities such as the CVE-2018-4878 Adobe Flash zero-day and several Microsoft office vulnerabilities (i.e. CVE-2018-0802 and CVE-2017-8570).
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.