DocuSign hacking tool – Alert!
DocuSign has notified users earlier this week of a new hacking tool that is mimmicking their product. This tool is dropping malware into victims’ computer systems. The name of the tool is EtterSilent and it uses Microsoft documents that contain macros to launch its attack. See alert below.
ALERT: New malicious hacking tool impersonating DocuSign observed
04/06/2021
DocuSign has been made aware of a new malicious document builder named EtterSilent that has been used to impersonate DocuSign to deliver malware to victims. The document builder creates Microsoft Office documents containing malicious macros or attempts to exploit a known Microsoft Office vulnerability (CVE-2017-8570) to download malware onto the victim’s computer. This activity is from malicious third-party sources and is not coming from the DocuSign platform.
To date, the malicious documents have been observed to deliver many different malware families such as Trickbot, QBot, Bazar, IcedID and Ursnif. These types of maldocs are typically delivered to victims via phishing attacks. For more information on how to spot phishing, please see our Combating Phishing white paper.
The following Indicators of Compromise have been seen associated with this activity:
| DESCRIPTION | VALUE |
| Trickbot payload | 9118198afca6e2479fdbcca55a08a4408570d2186a7dd8f261f1821178deb595 |
| Trickbot distribution URL | http://costacars.es/ico/ortodox.php |
| EtterSilent maldoc | 50fd4b2e51908a55f2c891fb3ffde2c3661e4324c1887e65fabfb1a93a41efb2 |
| IcedID payload | 8e51ccc6c8d14f0365d2d597c8aaf6015238839c0dab90e419107782bf460414 |
| IcedID distribution URL | http://188.127.254.114/44270.7082388889.dat |
| EtterSilent maldoc | 2baf563da8db9e2ed765fa7697025d277d06ee53424f6513671f2f6b7441387b |
| QBot payload | 24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44 |
| Qbot distribution URL | http://kfzhm28pwzrlk02bmjy.com/mrch.gif |
| EtterSilent maldoc | 16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12 |
| Ursnif payload | d5b05a81f377c33a2fba292002d0474b68483225aa09c97a00336fc368383d6a |
| Ursnif distribution URL | http://musclemodz.com/asrt3.png |
| EtterSilent maldoc | 267a54f074b688d591d5cfb7831f1adb443ec1441076775cb158bed0d385f712 |
| Bazar payload | b7ce29ffbdf00771b539b28ce01d57cd5805ca3a6ca2eb1b694eed4466912286 |
| Bazar distribution URL | http://itelsys.ma/prod/education.php |
| EtterSilent maldoc | 5f8e3b19cd4d25ac396cf64f6f448d88e301cf899142bdb03a28cec42eb71389 |
| Qbot payload | 6a984d3aaffeeec32f3803489c71bfd907e2fb74dbc8eeb931c084f11293e1cc |
| Qbot distribution URL | http://pokojewewladyslawowie.pl/orlpzhiy/44270.5684626157.dat |
| EtterSilent maldoc | 3a5d67bdc42b7a9ebd1137e49a34d82c0ee99343ae32f3367137db19131c2cf4 |
| Trickbot payload | aa40f9dd1212993f79cc23111de3a8dd5e529dd1a8ca5dceaa30fba53f6f96b4 |
| Trickbot distribution URL | http://mineiro.ch/casrtnoar/count.php |
| EtterSilent maldoc | 9b1c03b0cca23a94f2d6988c66eb0d246ec2648623765e83dbf20548ac874837 |
| Ursnif payload | 1c65c1a53f1cf5372bb35b5af5130e966b4bb7e7941cc1460f28628249ce5189 |
| Ursnif distribution URL | http://holmesservices.mobiledevsite.co/ds/2803.gif |
| EtterSilent maldoc | 2a3316b69ec787ca13a3e35697bcfc4a5e37a9a3080434c56fdf17e0593e0a12 |
m
