Malware has targeted over 80 customers worldwide
A new kind of office malware, which targeted more than 80 customers worldwide in an attempt to control victim machines and steal information remotely, has been disclosed and distributed by cyber security researchers as part of a malicious email campaign.
The malware builder “APOMacroSploit”, also called as a macro exploit generator, allows the user to create an excel document capable of bypassing Windows Antimalware Scan Interface (AMSI), antivirus software and even Gmail and other email-based phishing detection.
Two French-based threat actors “Apocaliptique” and “Nitrix” are believed to have developed the malware builder and are estimated to have made at least $5000 in less than two months selling the product on HackForums.net.
Utilizing 100 different email senders in a slew of attacks targeting users in more than 30 different countries, around 40 hackers in total are said to be behind the operation. At the end of November 2020 these attacks were spotted for the first time, as per cyber security firm Check Point.
The firm said in a Tuesday report, “The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script”.
This system command script that is responsible for executing the malware (“fola.exe”) on Windows systems but not before adding the malware location in the exclusion path of Windows Defender and disabling Windows clean up, is retrieved from cutt.ly, which directs to servers hosting multiple BAT scripts that have the nickname of the customers attached to the filenames.
Catering to medical equipment and supplies, implying that the attackers breached the website to store the malicious executable, the malware, a Delphi Crypter followed by a second-stage remote access Trojan called BitRAT was found hosted on a Bulgarian website in one of the attacks.
Not only to compress but also to make malware samples more evasive and reverse engineer, the idea of using “crypters” or “packers” has become increasingly popular among threat actors.
Formally documented last year in August, BitRAT comes with features to mine crypto currencies, log keystrokes, hack webcams, download and upload arbitrary files, and remotely control the system via a command-and-control server, which in this case resolved to a sub-domain of a legitimate Bulgarian website for video surveillance systems.
Chasing the digital trail left by the two operators was the further investigation by Check Point that also included two League of Legends player profiles, ultimately leading the researchers to unmask the real identity of Nitrix, who revealed his actual name on Twitter when he posted a picture of a ticket he bought for a concert in December 2014.
Nitrix is from Noisy-Le-Grand with four years of experience as a software developer. The possibilities that the individual may also be a French resident has stirred up by Apocaliptique’s use of alternative names such as “apo93” or “apocaliptique93” as “93” is the colloquial name for the French department of Seine-Saint-Denis.
Check Point Research said it has alerted law enforcement authorities about the identities of the attackers.