DocuSign Alert: New Malicious Hacking Tool Mimicking DocuSign Observed

On April 6, 2021, DocuSign issued an Alert notifying users of a new malicious hacking tool that is mimicking DocuSign to drop malware into victims’ systems. According to the Alert, the document building tool, dubbed “EtterSilent,” “creates Microsoft Office documents containing malicious macros or attempts to exploit a known Microsoft Office vulnerability (CVE-2017-8570) to download malware onto the victim’s computer. This activity is from malicious third-party sources and is not coming from the DocuSign platform.”

The Alert further states “[T]o date, the malicious documents have been observed to deliver many different malware families such as Trickbot, QBot, Bazar, IcedID and Ursnif. These types of maldocs are typically delivered to victims via phishing attacks.”

DocuSign provides the Indicators of Compromise in the Alert, which can be accessed here.

Since EtterSilent is released using macros, it is worth alerting company users that downloading macros is highly suspicious, and that they may wish to reach out to information technology professionals before downloading macros included in a document or link. If a company routinely uses DocuSign, alerting users to this scheme may help them avoid becoming a victim.