Last October, Microsoft released Security Bulletin MS16-121, patching an Office vulnerability attackers could exploit to run malware on infected computers. Those who have yet to apply it should do so immediately: SophosLabs researchers have discovered fresh cases of AKBuilder and Microsoft Word Intruder (MWI) exploiting the flaw.
Specifically, copies of AKBuilder are being sold on an underground forum, and MWI’s authors are now using it to concoct new exploits against the RTF flaw. SophosLabs principal researcher Gábor Szappanos said:
This vulnerability is already under fire by two major exploit builders. It all happened within a couple of weeks, with the help of an underground forum.
AKBuilder generates malicious Word documents, all in Rich Text. Once purchased, malicious actors use it to package malware samples into booby-trapped documents they can then spam out. It uses exploits to deliberately corrupt files that automatically trigger bugs in Office and underlying bugs in Windows itself. SophosLabs has seen several cases of this builder in action recently.
MWI is one of the best known Office exploit builders and certainly one of the most popular in cybercrime groups. Though SophosLabs recently discovered new versions that include non-Office exploits, the one targeting the Office RTF flaw goes on the attack the old-fashioned way.
[Source: Sophos Naked Security]