Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

Trojan.Mdropper.AC

Trojan.Mdropper.AC is a malware loader/dropper that Microsoft previously identified as exploiting CVE-2009-0238, a Microsoft Excel remote code execution vulnerability, in real-world attacks. The vulnerability is triggered when a victim opens a specially crafted Excel file containing a malformed object, leading to memory corruption and arbitrary code execution with the privileges of the affected user. Supporting content states that Trojan.Mdropper.AC was first observed exploiting this flaw in February 2009 and was used to deliver additional malware in follow-on attacks. The associated vulnerability affected multiple Microsoft Office and Excel products, including Excel 2000 SP3, 2002 SP3, 2003 SP3, 2007 SP1, Excel Viewer 2003 Gold and SP3, the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1, and Excel in Microsoft Office 2004 and 2008 for Mac. No specific threat actor, targeted industry, or standalone indicators of compromise for Trojan.Mdropper.AC are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2009-0238Remote Code Execution in Microsoft Office Excel Malformed Object HandlingExploited in the wild

CISA confirmed shortly after Microsoft rolled out 165 patches on April 14 that CVE-2009-0238 (9.3), first published on February 24, 2009, was being abused in active attacks. It added the bug to its Known Exploited Vulnerability (KEV) catalog. We know that it's a remote code execution (RCE) issue that attackers can trigger by convincing victims to open a specially crafted Excel document that "includes a malformed object." | Microsoft notified the community and issued a fix for CVE-2009-0238 when it was first discovered being exploited by Trojan.Mdropper.AC, a loader used to deliver other malware in follow-on attacks.

via register securitytheregister.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence2

attackers can trigger by convincing victims to open a specially crafted Excel document

Execution

2 techniques
T1203Exploitation for Client ExecutionEvidence3

We know that it's a remote code execution (RCE) issue that attackers can trigger by convincing victims to open a specially crafted Excel document that "includes a malformed object."

T1204.002Malicious FileEvidence1

attackers can trigger by convincing victims to open a specially crafted Excel document that "includes a malformed object."

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.