The Four Element Sword, weaponized document builder used in APT Attacks

Share this…

Experts analyzed a dozen attacks that leveraged on malicious RTF documents created using the same Four Element Sword builder.

Security experts at Arbor Networks’ Security Engineering and Response Team (ASERT) have spotted a tool used in advanced persistent threat (APT) attacks against organizations in East Asia.

The researchers have analyzed a dozen attacks that leveraged on malicious Rich Text File (RTF) documents that were all created using the same builder which it has dubbed ‘Four Element Sword.’

The experts also collected evidence that the hacking campaigns leveraging malicious RTF documents are still active.

All the attacks belong to long-running hacking campaigns operated by APTs, threat actors targetedTibetans, Uyghurs, human rights groups in Taiwan and Hong Kong, and journalists.

The threat actors used popular RATs to compromise victim’s machines, including PlugX, Gh0stRAT,T9000, Kivars, Graber and Agent.XST.

The malware spreads via spear-phishing emails that came with malicious RTF documents in attachment. All the documents analyzed by Arbor Networks included code to exploit 2-4 vulnerabilities (CVE-2012-0158, CVE-2012-1856, CVE-2015-1641, CVE-2015-1770), the experts believe they were created by using the same builder.

Four Element Sword Builder

The flaws CVE-2012-0158 and CVE-2012-1856 were first discovered in 2010 and fixed in 2012 by Microsoft. The flaws CVE-2015-1641 and CVE-2015-1770 were patched only last year.

“The Four Element Sword builder has been observed to utilize exploit code against four distinct vulnerabilities. Each malicious document created by the builder appears to leverage three or four of these vulnerabilities in the same RTF document, given a .DOC extension.” states the analysis published by Arbor Networks “Some targets may warrant the use of newer exploit code, while others running on dated equipment and operating systems may still fall victim to the older exploits.”

The nature of the targets and the techniques, tactics and procedures adopted by the threat actors lead the experts into belief the involvement of Chinese hackers.

The researchers at Arbor Networks also discovered that the Four Element Sword builder has been used by cyber criminal gangs in the wild, the details of these operations will be provided in future reports.