AKBuilder: A builder for exploit-laden Word documents
One doesn’t have to be a great coder to become a successful cybercriminal, as underground markets are filled with offerings that automate one or another step of an attack chain.
Take for example the AKBuilder, a builder for Word documents that carry exploits for several vulnerabilities and a malicious, encrypted payload.
The evolution of AKBuilder
According to SophosLabs principal researcher Gábor Szappanos, two versions of the builder have, at one time or another, found their way to the market.
Sold for $550 (or thereabouts), the builder – which comes in the form of a Python script – requires users to simply enter the name of the payload file, that of the decoy document, and the name of the generated exploit document.
The first version of the builder (AK-1) exploits the CVE-2012-0158 and CVE-2014-1761 vulnerabilities, and was active from mid-2015 to mid-2016. The second one (AK-2) exploits CVE-2015-1641, and took over where AK-1 left off.
But nothing stays the same for long, and AK-1 recently made a comeback. As the Ancalog builder (the “vintage exploit builder”) disappeared from the market, there was a need for builders exploiting older Office vulnerabilities, and AK-1 was popular again.
AKBuilder also spawned other versions, likely by other authors. As the builder is a simple Python script, it’s easy to steal it and modify it by those who know how.
“Some of the distributors (including the most persistent one) are seemingly from the Arabic regions. There is no proof that there is any connection between them, though,” Sophos’ Bill Brenner explained.
“But apart from them, there are a handful of other, seemingly unrelated developers/distributors who sell versions of this kit. We suspect that most of them work independently, purchasing one version of the kit, then modifying and distributing it on their own. Some of them distribute only this kit, others seem to be involved in selling a wide range of malicious software builders.”
At the moment, AKBuilder is used by various cybercrime groups to deliver a wide range of malware. “The most active (or least careful) of these criminals are Nigerian BEC groups,” says Brenner.
Protecting yourself against the exploits delivered by AKBuilder-generated documents is as easy as regularly updating Microsoft Office, as all of these vulnerabilities have already been patched.
“The dependence of criminals on the commercial offerings has a disadvantage for them: the builder doesn’t use zero-day exploits or even exploits that could be considered as new,” Brenner noted.