Security researchers at Check Point have recently discovered a new Office malware builder that is named as APOMacroSploit. This malware has been detected in November, and it was involved in various malicious emails to more than 80 customers throughout the world.
The experts have claimed that APOMacroSploit is a macro builder that was created to weaponize Excel documents and used them in multiple phishing attacks.
The hackers who were behind the tool have continuously updated to evade detection, but, the Check Point researchers were enough capable and unveiled one of the threat actors who was behind the builder.
The Campaign and Malicious Document
According to the experts, there are nearly 40 different hackers who were involved in this malicious campaign and used 100 different malicious emails to execute the attacks.
Moreover, the experts have also asserted that the telemetry reports attacks have occurred in 30 different countries.
While in the case of the malicious document, the primary malicious document that the customer received was an XLS file that contains an intoxicated XLM macro that is dubbed as ‘Macro 4.0.’
Here, the attacker sets the macro in a manner that gets triggered when the victim opens the malicious document and starts downloading the infected BAT file from the cutt.ly.
APOMacroSploit and the threat actors
APOMacroSploit is a macro exploit generator that generates the Excel documents that can bypass security solutions like the Windows Antimalware Scan Interface (AMSI), Gmail security mechanisms, and other anti-phishing tools.
It’s is the piece of work of the French cybercriminals known as Apocaliptique and Nitrix. And according to the calculations of the security researchers, till now they have already earned more than $5,000 from APOMacroSploit sales on the cybercriminal forum “HackForums.net” in just one month.
Malware infection begins when the dynamic content of an XLS document attached to a phishing email is enabled, and the XLM macro automatically starts downloading the command script for Windows.
Here, the threat actors have done a very common and key mistake, as here the script that is extracted from the cutt.ly, simply redirects to a download server where several BAT scripts are located, and here it does not perform the request on the back end.
In short, the threat actors, Apocaliptique and Nitrix have produced a BAT file that was used in the attack. Moreover, the screenshot clearly shows that the threat actors not only sell their attack tools, but they have also engaged themselves in building and hosting the malware.
Apart from this, the BAT script file offered is also responsible for executing malware “fola.exe” on Windows systems if the versions are:-
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
BitRat and its Functionalities
BitRat is classified as a Remote Access Trojan (RAT) which gives the attackers remote access and control over an infected system. While BitRat offers a wide range of features and functionalities, but here we will present the key functionalities of BitRat:-
- SSL encryption
- XMR mining
- Webcam hacking
- Remote control
- Download and upload of files
- Compatibility with TOR
Moreover, the security experts have resolved the issue, identified the threat actors, and also published the IOCs.