430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The Four Element Sword, weaponized document builder used in APT Attacks

Experts analyzed a dozen attacks that leveraged on malicious RTF documents created using the same Four Element Sword builder. Security experts at Arbor Networks’ Security Engineering and Response Team (ASERT) have spotted a tool used in advanced persistent threat (APT) attacks against organizations in East Asia. The researchers have analyzed a dozen attacks that leveraged on malicious Rich […]

The Four Element Sword, weaponized document builder used in APT Attacks

Experts analyzed a dozen attacks that leveraged on malicious RTF documents created using the same Four Element Sword builder.

Security experts at Arbor Networks’ Security Engineering and Response Team (ASERT) have spotted a tool used in advanced persistent threat (APT) attacks against organizations in East Asia.

The researchers have analyzed a dozen attacks that leveraged on malicious Rich Text File (RTF) documents that were all created using the same builder which it has dubbed ‘Four Element Sword.’

The experts also collected evidence that the hacking campaigns leveraging malicious RTF documents are still active.

All the attacks belong to long-running hacking campaigns operated by APTs, threat actors targeted Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.

The threat actors used popular RATs to compromise victim’s machines, including PlugX, Gh0stRAT, T9000, Kivars, Graber and Agent.XST.

The malware spreads via spear-phishing emails that came with malicious RTF documents in attachment. All the documents analyzed by Arbor Networks included code to exploit 2-4 vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641, CVE-2015-1770), the experts believe they were created by using the same builder.

Four Element Sword Builder

The flaws CVE-2012-0158 and CVE-2012-1856 were first discovered in 2010 and fixed in 2012 by Microsoft. The flaws CVE-2015-1641 and CVE-2015-1770 were patched only last year.

“The Four Element Sword builder has been observed to utilize exploit code against four distinct vulnerabilities. Each malicious document created by the builder appears to leverage three or four of these vulnerabilities in the same RTF document, given a .DOC extension.” states the analysis published by Arbor Networks “Some targets may warrant the use of newer exploit code, while others running on dated equipment and operating systems may still fall victim to the older exploits.”

The nature of the targets and the techniques, tactics and procedures adopted by the threat actors lead the experts into belief the involvement of Chinese hackers.

The researchers at Arbor Networks also discovered that the Four Element Sword builder has been used by cyber criminal gangs in the wild, the details of these operations will be provided in future reports.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Four Element Sword builder, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]