New Office Malware Discovered in Malicious Email Campaign
Cybersecurity experts have recently uncovered a sophisticated strain of Office malware being disseminated through a widespread email campaign. This campaign has targeted over 80 organizations across various sectors globally, with the intent to gain remote control over victimized machines and illicitly collect sensitive information.
The malware, known as APOMacroSploit, operates as a macro exploit generator. It enables users to create Excel documents specifically designed to evade detection by antivirus programs, the Windows Antimalware Scan Interface (AMSI), and phishing detections implemented by email services like Gmail. The creators of this tool are believed to be two French threat actors, identified by the aliases “Apocaliptique” and “Nitrix.” Since its introduction, it is estimated that they have profited upwards of $5,000 from sales on underground forums such as HackForums.net.
Reports suggest that approximately 40 individuals participated in this operation, utilizing 100 diverse email senders to execute attacks targeting users in over 30 countries. Cybersecurity firm Check Point noted that the initial signs of this malicious campaign appeared in late November 2020. The infection process begins when users enable dynamic content in an attached XLS document. Subsequently, an XLM macro activates, prompting the download of a Windows system command script.
The command script, hosted on a URL shortening service, points to servers that store numerous BAT scripts. These scripts are specifically named to include the customers’ nicknames, adding a layer of personalization aimed at increasing the chances of user engagement. The scripts not only deploy the malware, referred to as “fola.exe,” but also alter Windows Defender configurations, adding the malware’s file path to the exclusion list and disabling cleanup protocols.
One notable attack involved a variant of malware known as BitRAT, which was found hosted on a Bulgarian site that typically serves the medical supply sector. This suggests that attackers may have compromised the site to facilitate the distribution of malicious executables. The functionality of BitRAT includes cryptocurrency mining, webcam hacking, keylogging, and remote system control, all operating through a command-and-control server linked to a legitimate Bulgarian website.
The use of crypters or packers to obscure malware has become increasingly prevalent among cybercriminals, facilitating more effective evasion from security measures. Crackdowns by cybersecurity firms, including the tracking of online profiles related to the attackers, have led to the identification of individuals involved in the threats. Notably, one of the operators, Nitrix, revealed his real name through a social media post about a concert ticket, while traces of Apocaliptique’s digital footprint suggest he may also be based in France.
Check Point has reported these findings to law enforcement authorities, providing critical insights into the identities of the individuals behind this campaign.
In terms of potential adversary tactics as defined by the MITRE ATT&CK framework, this incident exemplifies several techniques: Initial Access was achieved through malicious emails, leading to Execution via the macros in documents. Furthermore, Persistence was established by modifying system settings to disable security measures, while Command and Control was maintained through compromised servers directing malicious scripts.
As businesses continue to navigate an increasingly complex landscape of cybersecurity threats, remaining informed about such incidents is essential for safeguarding sensitive information and maintaining operational integrity.
