ALERT: New malicious hacking tool impersonating DocuSign observed
DocuSign has been made aware of a new malicious document builder named EtterSilent that has been used to impersonate DocuSign to deliver malware to victims. The document builder creates Microsoft Office documents containing malicious macros or attempts to exploit a known Microsoft Office vulnerability (CVE-2017-8570) to download malware onto the victim’s computer. This activity is from malicious third-party sources and is not coming from the DocuSign platform.
To date, the malicious documents have been observed to deliver many different malware families such as Trickbot, QBot, Bazar, IcedID and Ursnif. These types of maldocs are typically delivered to victims via phishing attacks. For more information on how to spot phishing, please see our Combating Phishing white paper.
The following Indicators of Compromise have been seen associated with this activity:
DESCRIPTION | VALUE |
Trickbot payload | 9118198afca6e2479fdbcca55a08a4408570d2186a7dd8f261f1821178deb595 |
Trickbot distribution URL | http://costacars.es/ico/ortodox.php |
EtterSilent maldoc | 50fd4b2e51908a55f2c891fb3ffde2c3661e4324c1887e65fabfb1a93a41efb2 |
IcedID payload | 8e51ccc6c8d14f0365d2d597c8aaf6015238839c0dab90e419107782bf460414 |
IcedID distribution URL | http://188.127.254.114/44270.7082388889.dat |
EtterSilent maldoc | 2baf563da8db9e2ed765fa7697025d277d06ee53424f6513671f2f6b7441387b |
QBot payload | 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44 |
Qbot distribution URL | http://kfzhm28pwzrlk02bmjy.com/mrch.gif |
EtterSilent maldoc | 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12 |
Ursnif payload | d5b05a81f377c33a2fba292002d0474b68483225aa09c97a00336fc368383d6a |
Ursnif distribution URL | http://musclemodz.com/asrt3.png |
EtterSilent maldoc | 267a54f074b688d591d5cfb7831f1adb443ec1441076775cb158bed0d385f712 |
Bazar payload | b7ce29ffbdf00771b539b28ce01d57cd5805ca3a6ca2eb1b694eed4466912286 |
Bazar distribution URL | http://itelsys.ma/prod/education.php |
EtterSilent maldoc | 5f8e3b19cd4d25ac396cf64f6f448d88e301cf899142bdb03a28cec42eb71389 |
Qbot payload | 6a984d3aaffeeec32f3803489c71bfd907e2fb74dbc8eeb931c084f11293e1cc |
Qbot distribution URL | http://pokojewewladyslawowie.pl/orlpzhiy/44270.5684626157.dat |
EtterSilent maldoc | 3a5d67bdc42b7a9ebd1137e49a34d82c0ee99343ae32f3367137db19131c2cf4 |
Trickbot payload | aa40f9dd1212993f79cc23111de3a8dd5e529dd1a8ca5dceaa30fba53f6f96b4 |
Trickbot distribution URL | http://mineiro.ch/casrtnoar/count.php |
EtterSilent maldoc | 9b1c03b0cca23a94f2d6988c66eb0d246ec2648623765e83dbf20548ac874837 |
Ursnif payload | 1c65c1a53f1cf5372bb35b5af5130e966b4bb7e7941cc1460f28628249ce5189 |
Ursnif distribution URL | http://holmesservices.mobiledevsite.co/ds/2803.gif |
EtterSilent maldoc | 2a3316b69ec787ca13a3e35697bcfc4a5e37a9a3080434c56fdf17e0593e0a12 |
m