The Four Element Sword, weaponized document builder used in APT Attacks

Experts analyzed a dozen attacks that leveraged on malicious RTF documents created using the same Four Element Sword builder.

Security experts at Arbor Networks’ Security Engineering and Response Team (ASERT) have spotted a tool used in advanced persistent threat (APT) attacks against organizations in East Asia.

The researchers have analyzed a dozen attacks that leveraged on malicious Rich Text File (RTF) documents that were all created using the same builder which it has dubbed ‘Four Element Sword.’

The experts also collected evidence that the hacking campaigns leveraging malicious RTF documents are still active.

All the attacks belong to long-running hacking campaigns operated by APTs, threat actors targeted Tibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.

The threat actors used popular RATs to compromise victim’s machines, including PlugX, Gh0stRAT, T9000, Kivars, Graber and Agent.XST.

The malware spreads via spear-phishing emails that came with malicious RTF documents in attachment. All the documents analyzed by Arbor Networks included code to exploit 2-4 vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641, CVE-2015-1770), the experts believe they were created by using the same builder.

The flaws CVE-2012-0158 and CVE-2012-1856 were first discovered in 2010 and fixed in 2012 by Microsoft. The flaws CVE-2015-1641 and CVE-2015-1770 were patched only last year.

“The Four Element Sword builder has been observed to utilize exploit code against four distinct vulnerabilities. Each malicious document created by the builder appears to leverage three or four of these vulnerabilities in the same RTF document, given a .DOC extension.” states the analysis published by Arbor Networks “Some targets may warrant the use of newer exploit code, while others running on dated equipment and operating systems may still fall victim to the older exploits.”

The nature of the targets and the techniques, tactics and procedures adopted by the threat actors lead the experts into belief the involvement of Chinese hackers.

The researchers at Arbor Networks also discovered that the Four Element Sword builder has been used by cyber criminal gangs in the wild, the details of these operations will be provided in future reports.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Four Element Sword builder, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.