Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine. Given the high success rate, malicious Office documents remain a preferred weapon in a cyber criminal’s arsenal. To take advantage of this demand and generate revenue, some criminals decided to create off-the-shelf toolkits for building malicious Office documents. These toolkits are mostly offered for sale on underground cybercriminal forums.
Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder. McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation. In the following blog we will explain some of the details we found that helped unmask the suspected actor behind the Rubella Macro Builder.
What is an Office Macro Builder?
An Office Macro Builder is a toolkit designed to weaponize an Office document so it can deliver a malicious payload by the use an obfuscated macro code that purposely tries to bypass endpoint security defenses. By using a toolkit dedicated to this purpose, an actor can push out higher quantities of malicious documents and successfully outsource the first stage evasion and delivery process to a specialized third party. Below is an overview with the general workings of an Office Macro Builder. The Defense evasion shown here is specific to Rubella Office Macro Builder. Additional techniques can be found in other builders.
Dutch Language OpSec fail….
Rubella Macro Builder is such a toolkit and was offered by an actor by the same nickname “Rubella”. The toolkit was marketed with colorful banners on different underground forums. For the price of 500 US Dollars per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice.
Rubella advertisement banner
In one of Rubella’s forum postings the actor was detailing the toolkit and that it managed to bypass the Windows Anti Malware Scan Interface (AMSI) present in Windows 10. To prove this success, the post contained a link to a screenshot. Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used. Dutch is a very uncommon language, only a small percentage of the world’s population speaks it, let alone an even smaller percentage of cybercriminals who use it.
The linked screenshot with the Dutch version of Microsoft Word.
Interestingly enough we reported last year on the individuals behind Coinvault ransomware. One of the reasons they got caught was the use of flawless Dutch in their code. With this in the back of our minds we decided to go deeper down the rabbit hole.
We looked further into the large amount of posts by Rubella to learn more about the person behind the builder. The actor Rubella was actually promoting a variety of different, some self-written, products and services, ranging from (stolen) credit card data, a crypto wallet stealer and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.
During our research we were able to link different nicknames used by the actor on several forums across a timespan of many years. Piecing it all together, Rubella showed a classic growth pattern of an aspiring cybercriminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.
PDB path Breitling
One of the posts Rubella placed on a popular hacker forum was promoting a piece of free software the actor coded to spoof email. The posting contained a link to VirusTotal and included a SHA-256 hash of the software. This gained our interest since it provided a possibility to link the adversary to the capability.
Email spoofer posting including the VirusTotal link
Closer examination of the piece of software on VirusTotal showed that the mail Spoofer contained a debug or PDB path “C:\Users\Breitling”. Even though the username Breitling isn’t very revealing about an actual person, leaving such a specific PDB path within malware is a classic mistake.
By pivoting on the specific PDB path we found additional samples on VirusTotal, including a file that was named RubellaBuilder.exe, which was a version of the Macro builder that Rubella was offering. Later in the blog post we will take a closer look at the builder itself.
Finding additional samples with the Breitling PDB path
Since Breitling was most likely the username used on the development machine, we were wondering if we could find Office documents that were crafted on the same machine and thus also containing the author name Breitling. We found an Office document with Breitling as author and the document happened to be created with a Dutch version of Microsoft Word.
The Word document containing the author name Breitling.
Closer inspection of the content of the Word document revealed that it also contained a string with the familiar Jabber account of Rubella; Rubella(@)exploit.im.
The Malicious document containing the string with the actor’s jabber account.
Circling back to the forums we found an older posting under one of the nicknames we could link to Rubella. In this posting the actor is asking for advice on how to add a registry key using C#. They placed another screenshot to show the community what they were doing. This behavior clearly shows a lack of skill but at the same time his thirst for knowledge.
Older posting where the actor asks for help.
A closer look at the screenshot revealed the same PDB path C:\Users\Breitling\.
Screenshot with the Breitling PDB path
Chatting with Rubella
Since Rubella was quite extroverted on the underground forums and had stated Jabber contact details in advertisements we decided to carefully initiate contact with him in the hope that we would get access to some more information. About a week after we added Rubella to our Jabber contact list, we received a careful “Hi.” We started talking and posing as a potential buyer, carefully mentioning our interest the Rubella Macro Builder. During this chat Rubella was quite responsive and as a real businessperson, mentioned that he was offering a new “more exclusive” Macro Builder named Dryad. Rubella proceeded to share a screenshot of Dryad with us.
Screenshot of Dryad shared by Rubella
Eventually we ended our conversation in a friendly manner and told Rubella we would be in touch if we remained interested.
Dryad Macro Builder
Based on the information provided from the chat with Rubella we performed a quick search for Dryad Macro Builder. We eventually found a sample of the Dryad Macro Builder and decided to further analyze this sample and compare it for overlap with the Rubella Macro Builder.
We noticed that the program was coded in .NET Assembly which is usually a preferred language for less skilled malware coders.
When we ran the application, it asked us to enter a login and password in order to run.
We also noticed a number-generated HWID (Hardware-ID) that was always the same when running the app. The HWID number is a unique identifier specific to the machine it was running on and was used to register the app.
When trying to enter a random name we detected a remote connection to the website ‘hxxps://tailoredtaboo.com/auth/check.php’ to verify the license.
The request is made with the following parameters ‘hwid=<HWID>&username=<username>&password=<password>’.
Once the app is running and registered it shows the following interface.
In this interface it is possible to see the function proposed by the app and it was similar to the screenshot that was shared during our chat.
Basically, the tool allows the following:
- Download and execute a malicious executable from an URL
- Execute a custom command
- Type of payload can be exe, jar, vbs, pif, scr
- Modify the dropped filename
- Load a stub for increase obfuscation
- Generate a Word or Excel document
It contains an Anti-virus Evasion tab:
- Use encryption and modify the encryption key
- Add junk code
- Add loop code
It also contains a tab which is still in development:
- Create Jscript or VBscript
- Download and execute
- Payload URL
- Obfuscation with base64 and AMSI bypass which are not yet developed.
The sample is coded in .Net without any obfuscation. We can see in the following screenshot the structure of the file.
Additionally, it uses the Bunifu framework for the graphic interface. (https://bunifuframework.com/)
The main function launches the interface with the pre-configuration options. We can see here the link to putty.exe (also visible in the screenshots) for the payload that needs to be changed by the user.
Instead of running an executable, it is also possible to run a command.
By default, the path for the stub is the following:
We can clearly see here a link with Rubella.
To use the program, it requires a license, that the user has to enter from the login form.
The following function shows the login form.
To validate the license the program will perform some check and combine a Hardware ID, a username and a password.
The following function generates the hardware id.
It gets information from ‘Win32_Processor class’ to generate the ID.
It collects information from:
- UniqueId: Globally unique identifier for the processor. This identifier may only be unique within a processor family.
- ProcessorId: Processor information that describes the processor features.
- Name: This value comes from the Processor Version member of the Processor Information structure in the SMBIOS information.
- Manufacturer: This value comes from the Processor Manufacturer member of the Processor Information structure.
- MaxClockSpeed: Maximum speed of the processor, in MHz.
Then it will collect information from the ‘Win32_BIOS class’.
- Manufacturer: This value comes from the Vendor member of the BIOS Information structure.
- SMBIOSVersion: This value comes from the BIOS Version member of the BIOS Information structure
- IdentificationCode: Manufacturer’s identifier for this software element.
- SerialNumber: Assigned serial number of the software element.
- ReleaseDate: Release date of the Windows BIOS in the Coordinated Universal Time (UTC) format of YYYYMMDDHHMMSS.MMMMMM(+-)OOO.
- Version: Version of the BIOS. This string is created by the BIOS manufacturer.
Then it will collect information from the ‘Win32_DiskDrive class’.
- Model: Manufacturer’s model number of the disk drive.
- Manufacturer: Name of the disk drive manufacturer.
- Signature: Disk identification. This property can be used to identify a shared resource.
- TotalHead: Total number of heads on the disk drive.
Then it will collect information from the ‘Win32_BaseBoard class’.
- Model: Name by which the physical element is known.
- Manufacturer: Name of the organization responsible for producing the physical element.
Then it will collect information from the ‘Win32_VideoController class’.
With all that hardware information collected it will generate a hash that will be the unique identifier.
This hash, the username and password will be sent to the server to verify if the license is valid. In the source code we noticed the tailoredtaboo.com domain again.
To generate a macro the builder is using several parts. The format function shows how each file structure is generated.
The structure is the following:
To save the macro in the malicious doc it uses the function ‘SaveMacro’:
Additionally, it generates random code to obfuscate the content and adds junk code.
The function GenRandom is used to generate random strings, chars as well as numbers. It is used to obfuscate the macro generated.
It also uses a Junk Code function to add junk code into the document:
For additional obfuscation it uses XOR encryption as well as Base64.
Finally, the function WriteMacro, writes the content previously configured:
We did also notice that the builder uses additional functions that were still under development, as we can see with the “Script Generator” tab.
A message is printed when we click on it and that indicates it is still a function in development.
Additionally, we can see the “Decoy Option” tab which is just a template to create another tab. The tab does not show anything. It seems the author left this tab to create another one.
Dryad is very similar to the Rubella Builder; many hints present in the code confirm the conversation we had with Rubella. Unlike Rubella, Dryad did have a scrubbed PDB path.
Both Rubella builder and Dryad Builder are using the Bunifu framework for the graphic design.
The license check is also the same function, using the domain tailoredtaboo.com, Below is the license check function from the Rubella builder:
We analyzed the server used to register the builder and discovered additional samples:
Most of these samples were Word documents generated with the builder.
A quick search into the domain Tailoredtaboo showed that it had several subdomains, including a control panel on a subdomain named cpanel.tailoredtaboo.com.
The cPanel subdomain had the following login screen in the Dutch language.
The domain tailoredtaboo.com has been linked to malicious content in the past. On Twitter the researcher @nullcookies reported in April 2018 that he found some malicious files hosted on the specific domain. In the directory listing of the main domain there were several files also mentioning the name Rubella.
TailoredTaboo.com mentioned on Twitter
Based on all the references, and the way the domain Tailoredtaboo.com was used, we believe that the domain plays a central administrative role for both Rubella and Dryad Macro Builder and can provide insight into the customers of both Macro Builders
Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.
Indicators of Compromise
URL / Website:
- Dryad: 7d1603f815715a062e18ae56ca53efbaecc499d4193ea44a8aef5145a4699984
- Rubella: 2a20d3d9ac4dc74e184676710a4165c359a56051c7196ca120fcf8716b7c21b9
Hash related samples:
The post McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect appeared first on McAfee Blogs.
USB drives seem harmless enough and they’re a convenient way to store, back up, or transfer files from your computer. So If you spot a USB drive sitting on the ground or in your office, should you assume someone lost their files? Or is it a hacker baiting you into compromising your computer and network?
On the latest episode of “Hackable?” Geoff learns if USB drives are dangerous and — with the help of white-hat hacker Tim Martin — sets his own trap for Pedro. Listen and learn how to protect your network from dropped drives, and if Pedro takes the bait.
Listen now to the award-winning podcast “Hackable?”.
Whether you’re managing your enterprise’s cybersecurity or you’ve outsourced it to a service provider, you’re ultimately the one that will be held accountable for a data breach. If your vendor loses your data, your customers and board of directors will likely still hold you responsible.
McAfee’s recent report, Grand Theft Data II: The Drivers and Shifting State of Data Breaches, reveals a majority of IT professionals have experienced at least one data breach, and on average have dealt with six breaches over the course of their career. Nearly three-quarters of all breaches have required public disclosure or have affected financial results.
Enterprise threats are increasing in number and sophistication, while rapidly targeting new vulnerabilities. And while, the top three vectors for exfiltrating data were database leaks, cloud applications, and removable USB drives, IT professionals are most worried about leaks from cloud enterprise applications such as Microsoft OneDrive, Cisco WebEx, and Salesforce.com.
Cybersecurity hygiene best practices must not only be established but updated and followed to keep up with these agile, versatile threats. Here are eight steps your business should be taking to implement better cybersecurity hygiene:
- Educate Your Teams – All employees are part of an organization’s security posture. And yet, 61% of IT professionals say their executives expect more lenient security policies for themselves, and 65% of those respondents believe this leniency results in more incidents. Do as I say, not as I do can be dangerous. It’s imperative that you develop a continuing cybersecurity education program for all enterprise teams including best practices for passwords and how to detect phishing emails. Your program should include re-education processes for your IT team on breach targets such as default accounts and missing patches.
- Timely Patches and Updates – The Data Exfiltration Report found that IT was implicated in most data breaches, and much of this can be attributed to failures in cybersecurity hygiene, such as the failure to get a security patch out across the enterprise within 24 to 72 hours. Or failing to check that all available updates are accepted on every device. The vulnerabilities these patches and updates are designed to address can remain vulnerable for months despite the availability of the fixes. Cloud and SaaS operations have proven that automated patching testing and deployment works well with minimal downside risk.
- Implement Data Loss Policies (DLP) – Data loss prevention requires thinking through the data, the applications, and the users. Most security teams continue to operate in isolation, with 81% reporting separate policies or management consoles for cloud access security brokers (CASBs) and data loss prevention (DLP). It is more important than ever to have a set of consistent Data Loss Prevention (DLP) policies that protect data everywhere it’s stored, including the cloud and corporate endpoints, networks, or unmanaged devices.
- Pay Attention to Cloud Security Settings – Cloud applications are where the bulk of your data resides, and data is what most cybercriminals are after. As Dev Ops moves more workloads to the cloud your enterprise needs to pay attention to the security setting of the cloud instances it uses and be aware of the security associated with the underlying infrastructure. Many security measures and considerations in the cloud are the same as on-prem, but some are different. Understanding the security of the cloud you choose and the applications that you use in the cloud are a critical part of securely navigating digital transformation.
- Technology Integration and Automation – One of the top actions cited for reducing future breach risks is integrating the various security technologies into a more cohesive defense. A lack of integration between security products allows suspicious activity to dwell unnoticed. If an attack is identified and blocked, all entry points should be instantly informed. If a compromised device is detected, security products should automatically scan all other devices for evidence of similar compromise, and quarantine affected systems. Automation allows machines to make these decisions based on policy set by the security team and accelerates time to detection and remediation without incurring material risk of unintended IT consequences.
- Deploy and Activate CASB, DLP, EDR – A Cloud Attack Security Broker (CASB) automatically classifies sensitive information, enforces security policies such as data loss prevention, rights management, data classification, threat protection, and encryption. Data Loss Prevention (DLP) safeguards intellectual property and ensures compliance by protecting sensitive data. Endpoint Detection and Response (EDR) can help your enterprise gain visibility into emerging threats with little maintenance and by monitoring endpoint activity, detecting suspicious behavior, making sense of high-value data, and understanding context. EDR can also reduce your need for additional SOC resources.
- Run Proper Device Audits –It’s important to regularly review device encryption on all devices including laptops, tablets, and mobile phones. Using multifactor identification strengthens your security beyond common sense steps like evaluating and promoting password strength.
- Have an Incident Response Plan – You may have only minutes and hours to act on a cyberattack. Good intentions aren’t enough to effectively respond and remedy a security breach. Be prepared before it happens. An Incident Response Plan is integral in helping your enterprise respond more effectively, reduce business disruptions and a loss of reputation.
For more on how to improve your enterprise’s cybersecurity hygiene using automation, integration, and cloud-based deployment and analytics, check out McAfee MVISION EDR.
The post Cybersecurity Hygiene: 8 Steps Your Business Should be Taking appeared first on McAfee Blogs.