Malicious document builder LCG Kit a key component in recent phishing campaigns

[silversurfer]

Researchers at Proofpoint have uncovered a sophisticated tool commonly used by malicious actors to build weaponized documents for phishing campaigns.

Dubbed LCG Kit, the service has helped small crime groups create docs capable of spreading a variety of remote access trojans and information stealers, such as Loki Bot, FormBook, Agent Tesla, Remcos, AZORult, REvcode RAT and Quasar RAT.

Discovered in March of this year, LCG Kit is unique, Proofpoint explains in a Dec. 13 blog post, because its code “is highly obfuscated using polymorphic shellcode and a Linear Congruential Generator (LCG) – an algorithm to generate a sequence of pseudorandom numbers – to encrypt the final stage of the code, including the payload locations.”

Proofpoint says LCG Kit can produce documents in a number of formats, including RTF, Word, Excel and PDF.

“Exploit document builders like LCG Kit… make it easy for threat actors to create malicious documents for use in email campaigns,” the Proofpoint blog post states. “Because LCG Kit supports both exploits and macros, operators have a number of options for ensuring delivery of their malware payloads, whether transparently as soon as victims open the document on a vulnerable PC or via social engineering to enable macros.”

Source: https://www.scmagazine.com/home/security...campaigns/