New ThreadKit exploit builder used to spread banking Trojan and RATs

Pierluigi Paganini March 28, 2018

A recently discovered Microsoft Office document exploit builder kit dubbed ThreadKit has been used to spread a variety of malware, including RATs and banking Trojans.

Security experts at Proofpoint recently discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking Trojans and RATs (i.e. TrickbotChthonicFormBook and Loki Bot).

The exploit kit was first discovered in October 2017, but according to the experts, crooks are using it at least since June 2017.

The ThreadKit builder kit shows similarities to Microsoft Word Intruder (MWI), it was initially being advertised in a forum post as a builder for weaponized decoy documents.

“In October 2017, Proofpoint researchers discovered a new Microsoft Office document exploit builder kit that featured a variety of recent exploits as well as a mechanism to report infection statistics.” reads the analysis published by ProofPoint. “While the documents produced by this kit exhibited some minor similarities to Microsoft Word Intruder (MWI), we determined that they were likely produced by a new exploit builder kit, which we started tracking as ThreadKit.”

Just after its appearance, documents created with the ThreadKit builder kit have been observed in several campaigns.

The decoy documents used in past campaigns performed an initial check-in to the command and control (C&C) server, a tactic also used by MWI.

The documents were triggering the CVE-2017-0199 vulnerability in Office to download and execute an HTA file that would then download the decoy and a malicious VB script to extract and run the embedded executable.


The last step of the infection sees the execution of the Smoke Loader, a small application used to download other malicious codes, in these specific attacks a banking malware.

Starting from October 2017, researchers observed the ThreadKit triggering the CVE 2017-8759 vulnerability.

“In October 2017, we started observing corresponding campaigns utilizing CVE-2017-8759. This version of ThreadKit employed a similar infection statistic initial C&C check-in and HTA to execute the embedded executable. Other changes were made to the way the exploit documents operate, in addition to integrating the new vulnerabilities.” continues the analysis.

Since November, ThreadKit integrated the code for the exploitation of the CVE 2017-11882, a 17-Year-Old flaw in MS Officeexploited by remote attackers to install a malware without user interaction.

In the last weeks, the exploit kit included new exploits targeting vulnerabilities such as the CVE-2018-4878 Adobe Flash zero-day and several Microsoft office vulnerabilities (i.e. CVE-2018-0802 and CVE-2017-8570).

Proofpoint researchers observed numerous campaigns featuring ThreadKit-generated Office attachments packing exploits that were likely copied from PoC code available on a researcher’s GitHub repo.

“ThreadKit is a relatively new and popular document exploit builder kit that has been used in the wild since at least June, 2017, by a variety of actors carrying out both targeted and broad-based crimeware campaigns. This new document exploit builder kit makes the use of the latest Microsoft Office exploits accessible to even low-skilled malicious actors.” concluded Proofpoint.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ThreadKit, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment