A new macro tool has been observed creating weaponized Excel documents targeting over 80 organizations worldwide. APOMacroSploit creates highly obfuscated Excel documents capable of bypassing Gmail, Windows Antimalware Scan Interface, and other email-based phishing detections. This toolkit was observed being sold on hxxps://hackforums[.]net for a price of $50 per file, and has been attributed to two individuals in France who have apparently made over 100 sales in just the last month and a half. In the analysis, researchers point out that one actor has been identified due to a past Twitter post in which his name was revealed on a concert ticket. Authorities have been notified and are investigating.
The initial document contains a malicious Excel 4.0 macro and is triggered automatically when the victim opens the document. A batch script is downloaded and hidden on the target machine and utilizes a “Start-Sleep command” as one of its evasion techniques. Two MD5 hashes were listed as IoCs for the malware dropped, a359796eacef161e75ce3f5094e1dd2bff37389c and 9a8b2be1f45b4d3d5a9a772ce45a01caa0a1b6e2.