Cybercrime ApoMacroSploit : Apocalyptical FUD Race

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,288
Quote: " At the end of November, Check Point Research detected a new Office malware builder called APOMacroSploit, which was implicated in multiple malicious emails to more than 80 customers worldwide. In our investigation, we found that this tool includes features to evade detection by Windows Defender and is updated daily to ensure low detection rates. In this article, we reveal the threat actors’ malicious intentions and disclose the real identity of one attacker. We reported this information to the relevant law enforcement authorities.

The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script. Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product. We followed multiple cases of attacks related to this tool, which we discuss here, and we describe a popular RAT used in this campaign to control the victim’s machine remotely and steal information. Approximately 40 different hackers are involved in this campaign, and utilize 100 different email senders in the attacks. Overall, our telemetry reports attacks occurred in more than 30 different countries.

The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt[.]ly. The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion. At this stage of the attack, the attackers made a key mistake. The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. "

Quote : " Nitrix and Apocaliptique assist buyers with how to use the tool. Many of the customer nicknames visible on the download server were also found on the channel. For each customer, Apocaliptique and Nitrix created a BAT file to use in the attack (see the procedure description below): This screenshot shows that not only did these hackers sell their attack tools, but they also participated in building and hosting the malware.

After digging in Nitrix Twitter account, we finally obtained his identity: he revealed his actual name when he posted a picture of a ticket he bought for a concert in December 2014. "

Full source :
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883
Thank you for sharing :)

Assuming that if the macro is not executed, the malware will not be able to infect the device, then the biggest challenge for the prevention of macro malware infections is to correctly identify the main propagation vectors i.e. phishing/malspam mails.
This is not easy, because most of the phishing domains are dead before they are discovered as malicious.
In the home environment, all macros in documents (VBA or Excel 4.0) can be simply blocked.
 

Andy Ful

Level 69
Verified
Trusted
Content Creator
Dec 23, 2014
5,883
Microsoft added AMSI protection for VBA macros (MS Office 365) so the attackers changed the attack vector to Excel 4.0 macros. They are used to download and invoke more persistent payloads, such as EXE or DLL files.
So, this new vector can be prevented by using Windows build-in features:
  1. Blocking child processes of Excel and restricting WMI to avoid bypassing child processes checking (ASR rules)
  2. Restricting scripting (SRP, Applocker, Application Control)
  3. Blocking scripts via Windows Policies.
Many AVs have still problems with mitigating Excel 4.0 macros.
"Security vendors are having difficulty detecting this threat, likely due to not having solutions in place to properly assess and parse the format and structure of how these macros are stored in Excel documents [2]. These macros are very straightforward and easy to create, thus easy to modify to bypass signature-based detection. Macros are also robust, and provide various functions that can be leveraged to evade analysis, such as obfuscating the final payload, modifying the control flow, or detecting automated sandbox analysis through specific host environmental checks."

Edit.
Excel 4.0 macros can also use Windows APIs to filelessly execute the shellcode without using external scripting engines like PowerShell (rarely used in the wild). In the case of VBA macros, this could be prevented by the ASR rule "Block Win32 API calls from Office macros". But, this rule most probably will not work for Excel 4.0 macros except when Microsoft will update it to cover them.
 
Last edited:
Top