Micro Technology Solutions Inc.

DocuSign hacking tool – Alert!

DocuSign has notified users earlier this week of a new hacking tool that is mimmicking their product. This tool is dropping malware into victims’ computer systems.
 
The name of the tool is EtterSilent and it uses Microsoft documents that contain macros to launch its attack. See alert below.

ALERT: New malicious hacking tool impersonating DocuSign observed

04/06/2021
 

DocuSign has been made aware of a new malicious document builder named EtterSilent that has been used to impersonate DocuSign to deliver malware to victims. The document builder creates Microsoft Office documents containing malicious macros or attempts to exploit a known Microsoft Office vulnerability (CVE-2017-8570) to download malware onto the victim’s computer. This activity is from malicious third-party sources and is not coming from the DocuSign platform. 

To date, the malicious documents have been observed to deliver many different malware families such as Trickbot, QBot, Bazar, IcedID and Ursnif. These types of maldocs are typically delivered to victims via phishing attacks. For more information on how to spot phishing, please see our Combating Phishing white paper.

The following Indicators of Compromise have been seen associated with this activity:

DESCRIPTIONVALUE
Trickbot payload9118198afca6e2479fdbcca55a08a4408570d2186a7dd8f261f1821178deb595
Trickbot distribution URLhttp://costacars.es/ico/ortodox.php
EtterSilent maldoc50fd4b2e51908a55f2c891fb3ffde2c3661e4324c1887e65fabfb1a93a41efb2
IcedID payload8e51ccc6c8d14f0365d2d597c8aaf6015238839c0dab90e419107782bf460414
IcedID distribution URLhttp://188.127.254.114/44270.7082388889.dat
EtterSilent maldoc2baf563da8db9e2ed765fa7697025d277d06ee53424f6513671f2f6b7441387b
QBot payload24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44
Qbot distribution URLhttp://kfzhm28pwzrlk02bmjy.com/mrch.gif
EtterSilent maldoc16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12
Ursnif payloadd5b05a81f377c33a2fba292002d0474b68483225aa09c97a00336fc368383d6a
Ursnif distribution URLhttp://musclemodz.com/asrt3.png
EtterSilent maldoc267a54f074b688d591d5cfb7831f1adb443ec1441076775cb158bed0d385f712
Bazar payloadb7ce29ffbdf00771b539b28ce01d57cd5805ca3a6ca2eb1b694eed4466912286
Bazar distribution URLhttp://itelsys.ma/prod/education.php
EtterSilent maldoc5f8e3b19cd4d25ac396cf64f6f448d88e301cf899142bdb03a28cec42eb71389
Qbot payload6a984d3aaffeeec32f3803489c71bfd907e2fb74dbc8eeb931c084f11293e1cc
Qbot distribution URLhttp://pokojewewladyslawowie.pl/orlpzhiy/44270.5684626157.dat
EtterSilent maldoc3a5d67bdc42b7a9ebd1137e49a34d82c0ee99343ae32f3367137db19131c2cf4
Trickbot payloadaa40f9dd1212993f79cc23111de3a8dd5e529dd1a8ca5dceaa30fba53f6f96b4
Trickbot distribution URLhttp://mineiro.ch/casrtnoar/count.php
EtterSilent maldoc9b1c03b0cca23a94f2d6988c66eb0d246ec2648623765e83dbf20548ac874837
Ursnif payload1c65c1a53f1cf5372bb35b5af5130e966b4bb7e7941cc1460f28628249ce5189
Ursnif distribution URLhttp://holmesservices.mobiledevsite.co/ds/2803.gif
EtterSilent maldoc2a3316b69ec787ca13a3e35697bcfc4a5e37a9a3080434c56fdf17e0593e0a12

 m