Researchers from Check Point, a prominent security firm, uncovered a new Office malware builder employed in numerous attacks worldwide. Check Point researchers tell they know who is behind the attacks.
APOMacroSploit is a macro builder that creates weaponized Excel documents later to be used in phishing attacks. The threat actor(s) continuously updated the tool to evade detection.
APOMacroSploit’s Excel documents can fool such antivirus software as Windows Antimalware Scan Interface (AMSI) and even Gmail security scans and other email-based phishing detection tools. To avoid detection by Windows, the APOMacroSploit’s BAT scripts add the malware’s location in the exclusion path of Windows Defender; also Windows cleanup was disabled before executing the malware.
“The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script,” the researchers say in the analysis.
The Check Point’s researchers estimate that the two main cybercriminals made about $5 000 in one and half months, just from sales of the APOMacroSploit builder.
Experts found who was selling the product on HackForums.net and based on that believe APOMacroSploit was created by two French-based threat actors going by the names “Apocaliptique” and “Nitrix.”
The campaign was uncovered by the researchers back in November in which about 40 hackers took part. They used 100 different email senders and targeted users in over 30 different countries.
“The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document and downloads a BAT file from cutt.ly,” reads the analysis. “The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion.”
A mistake on the attackers’ part helped the researchers to track them down. The cutt[.]ly domain directly redirects to a download server rather than performing the request on the back end. The download servers hosted the BAT files in which the nicknames of the customers were inserted inside of the filename. From that, the researchers could obtain a list of all customers’ nicknames.
In their attacks, the threat actors used a Delphi Crypter along a remote-access Trojan called BitRAT which can mine cryptocurrencies and has RAT features.
By searching on Skype for Nitrix’s identity, the researchers found his first name. And they determined the full name of Nitrix by some digging on Twitter: they found his real name in a post on Twitter in December 2014.
Check Point Research shared their findings with law enforcement and provided Indicators of Compromise (IoCs) with the cybersecurity community.