Rubella Macro Builder Crimeware Kit gains popularity on cybercrime underground

A new crimeware kit dubbed the Rubella Macro Builder is rapidly gaining popularity in the cybercriminal underground, experts already spotted its malware in the wild.

A new crimeware kit dubbed the Rubella Macro Builder is rapidly gaining popularity in the cybercriminal underground. The Rubella Macro Builder allows crooks to generate a malicious payload for social-engineering spam campaigns, crooks are offering it as a service for a three-month license of $120.

“While newer versions of the builder are significantly cheaper—as of April, a three-month license is $120 USD—they also come with enhanced features including various encryption algorithm choices ( XOR and Base64), download methods (PowerShell, Bitsadmin, Microsoft.XMLHTTP, MSXML2.XMLHTTP, custom PowerShell payload), payload execution methods (executable, JavaScript, Visual Basic Script), and the ability to easily deploy social engineering decoy themes with an Enable Content feature turned on to run the macro.” reads the analysis published by Flashpoint.

According to Flashpoint researches, Rubella is not particularly sophisticated, the builder is used to create Microsoft Word or Excel weaponized documents to use in spam email. The Rubella-generated malware acts as a first-stage loader for other malware.

The Rubella Macro Builder is cheap, fast and easy to use, the malware it generated can evade antivirus detection.

According to Flashpoint experts, also popular criminal gangs are using Rubella malware in their campaign, for example, the criminal crews behind the Panda and Gootkit banking malware.

“The macro junk and substitution method appears to be relatively primitive, relying on basic string substitutions. Additionally, its copy/paste implementation of the Base64 algorithm is displayed in Visual Basic Script (VBS) code implementation. The code is obfuscated through general Chr ASCII values.” continues the analysis.

Crooks continues to use weaponized documents for their campaigns, builders for Microsoft Office-based loader malware are a precious commodity in the underground.

Flashpoint also published the indicators of compromise (IOCs) for the Rubella macro builder here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Rubella Macro Builder, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.