Sophos Releases Technical Paper On Microsoft Word Intruder

By Christine Kern, contributing writer

Sophos has released research that provides an in-depth examination of the most influential Office malware creation kits — Microsoft Word Intruder (MWI).

The report by Gabor Szappanos, principal researcher of SophosLabs Hungary, states although malware is not new, virus creation kits today are designed to make money, and cybercriminals use underground marketplaces to sell both the generators and the generated malware samples.

According to the research, some cybercrime groups seem to be changing their tactics: attacks are becoming more targeted and sophisticated, rather than aiming for hundreds of thousands of infected computers in each attack.

The overall effect of the MWI kit, however, is the same as with the old DOS virus generators of the 1990s: it gives cybercrime groups immediate access to Office exploits for malware attacks, even if they lack the skills to develop exploits of their own.

According to Gabor, MWI had been used by numerous different malware groups, deploying Trojans from more than 40 different malware families.

In this research, SophosLabs mapped out a wide variety of MWI attacks that took place between May and August 2015 and followed at least a dozen different cybercrime groups that have used the MWI malware tools to distribute more than 40 different malware families.

The report also highlights that one reason for the success of MWI is the failure of users to update their software security patches, “making life easier than it should be for the cybercriminals.” It explains the history of malware creation kits, how they work, and dives into the infection mechanism of the MWI generator, pointing out the key characteristics differentiating the MWI samples from other exploited malicious documents.

To read the full report, click here.