A new macro tool has been observed creating weaponized Excel documents targeting over 80 organizations worldwide. APOMacroSploit creates highly obfuscated Excel documents capable of bypassing Gmail, Windows Antimalware Scan Interface, and other email-based phishing detections. This toolkit was observed being sold on hxxps://hackforums[.]net for a price of $50 per file, and has been attributed to two individuals in France who have apparently made over 100 sales in just the last month and a half. In the analysis, researchers point out that one actor has been identified due to a past Twitter post in which his name was revealed on a concert ticket. Authorities have been notified and are investigating.
The initial document contains a malicious Excel 4.0 macro and is triggered automatically when the victim opens the document. A batch script is downloaded and hidden on the target machine and utilizes a “Start-Sleep command” as one of its evasion techniques. Two MD5 hashes were listed as IoCs for the malware dropped, a359796eacef161e75ce3f5094e1dd2bff37389c and 9a8b2be1f45b4d3d5a9a772ce45a01caa0a1b6e2.
Analyst Notes
Malware and toolkits as a service are readily available in certain forums. An individual with malicious intent yet lacking the skillset necessary may acquire the tools needed to bypass antivirus scans and deliver malware to their target. It is useful to have detections in place to alert when unusual child processes spawn from Excel or Word processes. As noted in the referenced analysis, this toolkit uses techniques able to bypass most email based phishing detections. The need for awareness training and incentives for identifying malicious behavior, email, and documents is paramount to a solid risk management plan. Unfortunately, infection usually starts with an honest mistake, not a highly sophisticated chain of exploits. In order to combat this it is recommended that on top of employee awareness and incentive programs a solid team providing Security Operations Center defense and as stated in the Senate hearing concerning the Solar Winds attacks. Threat Hunting serves as a force multiplier in defensive operations and can be the mitigating factor between a breach and a data leak or ransomware encryption. Binary Defense offers both these solutions with teams readily available 24/7 to assist.
CheckPoint Research blog: https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/
https://securityaffairs.co/wordpress/114880/cyber-crime/apomacrosploit-macro-builder.html?utm_source=rss&utm_medium=rss&utm_campaign=apomacrosploit-macro-builder
https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary
