The tool can be used to generate two types of weaponised Microsoft Office documents: one that exploits a known vulnerability in Office and another that uses a malicious macro.
When opened, a template that looks like DocuSign, software that can be used to electronically sign documents.
The document then uses Excel 4.0 macros which are stored in a hidden sheet and download a payload which is then stored and executed using regsvr32 or rundll32.
Three banking trojans — BokBot, Gozi ISFB and QBot — had used EtterSilent, Intel 471 said, adding that what marked all these campaigns was the reliance on bulletproof hosting. All three trojans used services run by Yalishanda, a BPH provider.
An EtterSilent DocuSign template from March 2021. Supplied
"Intel 471 tracked a particular campaign tied to BokBot that had numerous distribution URLs embedded in the EtterSilent maldocs," the company said.
"At the time this blog was published, all of those domains resolved to one particular IP address. That address is tied to bulletproof infrastructure provided by Yalishanda. The usage of Yalishanda’s BPH service specifically for the delivery URL is reminiscent of years' worth of Hancitor campaigns observed by Intel 471."
The company concluded that widespread use of EtterSilent showed how commoditisation was a big part of the cyber crime economy.
"Different players specialise in their respective area, whether that be robust hosting, spam infrastructure, maldoc builders, or malware as a service, and find ways to leverage each other’s products in services by working together," it said.
"A better understanding of not only the malware being used, but how the cyber crime economy works and who the major players are, helps defenders focus on the threats most relevant to our organisations."