Pierluigi Paganini July 19, 2019

Dutch authorities announced the arrest of a 20-year old man for allegedly developing Dryad and Rubella Macro Builders.

Dutch authorities announced have arrested a 20-year old man that is accused to be the author of Dryad and Rubella Macro Builders.

The man lives in Utrecht, it created and distributed Rubella, Cetan and Dryad toolkits.

“Recently the high tech crime team (THTC) of the Dutch National Police Unit arrested a 20 year old resident of the Dutch city of Utrecht. He is suspected of large-scale production and selling of malware.” reads the announcement. “The young man offered programs with names like Rubella, Cetan and Dryad, enabling the buyer to include secret code or malware in amongst others  Word or Excel files.”

Both macro builders allow crooks to easily create malicious Office documents that are usually involved in hacking campaigns as a first-stage loader for other malware.

The Rubella Macro Builder crimeware kit appeared in the threat landscape on April 2018 and rapidly gained popularity in the cybercriminal underground. It allows crooks to generate a malicious payload for social-engineering spam campaigns, the author was offering it as a service for a three-month license of $120.

According to Flashpoint, Rubella is not particularly sophisticated, the builder is used to create Microsoft Word or Excel weaponized documents to use in spam email.

The macro might also purposely attempt to bypass endpoint security defenses. 

The Rubella Macro Builder is cheap, fast and easy to use, the malware it generated can evade antivirus detection.

According to Flashpoint experts, some popular criminal gangs used Rubella malware in their campaign, including the criminal crews behind the Panda and Gootkit banking malware.

The Dutch man was identified by law enforcement with the support of McAfee and another private company.

According to McAfee, Dryad and Rubella are very similar, and a conversation with the suspect revealed that the individual was behind both of them. 

“Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder.” reads a post published by McAfee. “McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation.”

The man was also promoting a variety of different products and services, ranging from stolen credit card data, a malware to steal funds from crypto wallets and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.

The Dutch authorities also revealed that the man had in possession access credentials for thousands of websites. 

The police also seized around 20,000 Euro (around $22,000) in cryptocurrency such as Bitcoins. 

“Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. “concludes McAfee. “Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.”

Pierluigi Paganini

(SecurityAffairs – Macro builder, GDPR)

[adrotate banner=”5″]

[adrotate banner=”13″]