Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Malicious Document Builder Used in East Asia APT Attacks

Researchers at Arbor Networks’ Security Engineering and Response Team (ASERT) have identified what they believe to be a tool used in advanced persistent threat (APT) attacks aimed at various entities in East Asia.

Researchers at Arbor Networks’ Security Engineering and Response Team (ASERT) have identified what they believe to be a tool used in advanced persistent threat (APT) attacks aimed at various entities in East Asia.

An analysis of a dozen incidents from a larger set of activity has led experts to believe that the malicious Rich Text File (RTF) documents used by threat actors in their attacks were all created using the same builder.

The attacks analyzed by ASERT were part of long-running APT campaigns aimed at the Tibetan community, journalists and human rights groups in Taiwan and Hong Kong, and Uyghurs. The operations involved pieces of malware known as Kivars, PlugX, Gh0stRAT, T9000, Graber and Agent.XST.

According to researchers, these threats were primarily delivered to victims via spear-phishing emails that contained a malicious RTF document with the .doc extension. Interestingly, these files were each set up to exploit 2-4 vulnerabilities and Arbor Networks believes they might have been created with a weaponized document builder which it has dubbed “Four Element Sword.”

The Four Element Sword builder is capable of embedding code for four different Microsoft Office arbitrary code execution exploits. Two of the flaws, CVE-2012-0158 and CVE-2012-1856, were first discovered in 2010 and patched by Microsoft in 2012, while the other two, CVE-2015-1641 and CVE-2015-1770, were resolved last year. While some of these exploits are very old, researchers believe they could still be useful against certain groups that might be using older systems.

Four Element Sword Builder

For each of the 12 attacks it analyzed, Arbor Networks made connections to malware and infrastructure observed in other attacks — most notably a campaign aimed at the World Uyghur Congress and an operation dubbed by Trend Micro “Shrouded Crossbow.”

The types of targets, the pieces of malware used, overlaps in infrastructure and connections to previous campaigns suggest a link to China. ASERT has found evidence that the campaigns leveraging malicious RTF documents are ongoing.

According to researchers, the Four Element Sword builder has also been used by cybercriminals. In the cybercrime operations observed by the security firm, which will be detailed in an upcoming report, 2-3 of the Office exploits were integrated in each document.

Coinciding with ASERT’s report, the University of Toronto’s Citizen Lab disclosed the details of a cyber espionage campaign targeting Hong Kong democracy activists. The operation described by Citizen Lab is related to the threat activity detailed by ASERT.

Related: Malware Used by China APT Group Abuses Dropbox

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.