Skip to main content

ALERT: New malicious hacking tool impersonating DocuSign observed

04/06/2021

DocuSign has been made aware of a new malicious document builder named EtterSilent that has been used to impersonate DocuSign to deliver malware to victims. The document builder creates Microsoft Office documents containing malicious macros or attempts to exploit a known Microsoft Office vulnerability (CVE-2017-8570) to download malware onto the victim’s computer. This activity is from malicious third-party sources and is not coming from the DocuSign platform. 

To date, the malicious documents have been observed to deliver many different malware families such as Trickbot, QBot, Bazar, IcedID and Ursnif. These types of maldocs are typically delivered to victims via phishing attacks. For more information on how to spot phishing, please see our Combating Phishing white paper.

The following Indicators of Compromise have been seen associated with this activity:

DESCRIPTION

VALUE

Trickbot payload

9118198afca6e2479fdbcca55a08a4408570d2186a7dd8f261f1821178deb595

Trickbot distribution URL

http://costacars.es/ico/ortodox.php

EtterSilent maldoc

50fd4b2e51908a55f2c891fb3ffde2c3661e4324c1887e65fabfb1a93a41efb2

IcedID payload

8e51ccc6c8d14f0365d2d597c8aaf6015238839c0dab90e419107782bf460414

IcedID distribution URL

http://188.127.254.114/44270.7082388889.dat

EtterSilent maldoc

2baf563da8db9e2ed765fa7697025d277d06ee53424f6513671f2f6b7441387b

QBot payload

24753d9f0d691b6d582da3e301b98f75abbdb5382bb871ee00713c5029c56d44

Qbot distribution URL

http://kfzhm28pwzrlk02bmjy.com/mrch.gif

EtterSilent maldoc

16a0c2f741a14c423b7abe293e26f711fdb984fc52064982d874bf310c520b12

Ursnif payload

d5b05a81f377c33a2fba292002d0474b68483225aa09c97a00336fc368383d6a

Ursnif distribution URL

http://musclemodz.com/asrt3.png

EtterSilent maldoc

267a54f074b688d591d5cfb7831f1adb443ec1441076775cb158bed0d385f712

Bazar payload

b7ce29ffbdf00771b539b28ce01d57cd5805ca3a6ca2eb1b694eed4466912286

Bazar distribution URL

http://itelsys.ma/prod/education.php

EtterSilent maldoc

5f8e3b19cd4d25ac396cf64f6f448d88e301cf899142bdb03a28cec42eb71389

Qbot payload

6a984d3aaffeeec32f3803489c71bfd907e2fb74dbc8eeb931c084f11293e1cc

Qbot distribution URL

http://pokojewewladyslawowie.pl/orlpzhiy/44270.5684626157.dat

EtterSilent maldoc

3a5d67bdc42b7a9ebd1137e49a34d82c0ee99343ae32f3367137db19131c2cf4

Trickbot payload

aa40f9dd1212993f79cc23111de3a8dd5e529dd1a8ca5dceaa30fba53f6f96b4

Trickbot distribution URL

http://mineiro.ch/casrtnoar/count.php

EtterSilent maldoc

9b1c03b0cca23a94f2d6988c66eb0d246ec2648623765e83dbf20548ac874837

Ursnif payload

1c65c1a53f1cf5372bb35b5af5130e966b4bb7e7941cc1460f28628249ce5189

Ursnif distribution URL

http://holmesservices.mobiledevsite.co/ds/2803.gif

EtterSilent maldoc

2a3316b69ec787ca13a3e35697bcfc4a5e37a9a3080434c56fdf17e0593e0a12