ApoMacroSploit : Apocalyptical FUD race

February 16, 2021

1.1      Introduction

At the end of November, Check Point Research detected a new Office malware builder called APOMacroSploit, which was implicated in multiple malicious emails to more than 80 customers worldwide.

In our investigation, we found that this tool includes features to evade detection by Windows Defender and is updated daily to ensure low detection rates. In this article, we reveal the threat actors’ malicious intentions and disclose the real identity of one attacker. We reported this information to the relevant law enforcement authorities.

The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script.

Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product.

We followed multiple cases of attacks related to this tool, which we discuss here, and we describe a popular RAT used in this campaign to control the victim’s machine remotely and steal information.

1.2      The campaign

Figure 1: Graph of the total number of attacks

Approximately 40 different hackers are involved in this campaign, and utilize 100 different email senders in the attacks. Overall, our telemetry reports attacks occurred in more than 30 different countries.

1.3       The malicious document

The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt.ly:

Figure 2: Malicious Macro4.o obfuscated


Figure 3: Malicious Macro4.0 deobfuscated

The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion.

1.4      BAT file downloaded from cutt.ly website

At this stage of the attack, the attackers made a key mistake. The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. These servers host the BAT files:

For each file, the nickname of the customer was inserted inside of the filename (the list can be seen below).

Figure 4: hxxp://193[.]239[.]147[.]76/bat content

Zombie99, seen in the file name, is the nickname of one of the attackers.

From this, we obtained a list of all customers’ nicknames.

COLAFORCE1010 moonlight kingshakes
ZaiTsev motolux laudable
apo93 nitrix legranducki
bambobimpel nullptr libinvip
bawbaw pr3torian makaveli
bayalbatros retroferon mcavy
birchfresh rroki123 mcdon
boblarsers2 siemaziuta mcoode55
borah silenthide mic12
btcjune skiw53 mikky
centank slipperynick xavierdev
covv somasekharraddyn zilla07
crownking spicytorben zombie99
danmill5241 t5samsung2020
demomode thecabal1 [email protected]
duksquad tozmac jew
frankie777 warlords jonathanandy77
fteenetx xaa  

Figure 5: List of customers

The BAT script file checks which Windows version the victim has and downloads fola.exe if the version is:

  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7

It adds the malware location in the exclusion path of Windows Defender, bypasses UAC and then executes the malware.

Figure 6 : Bat File

In addition, We also noticed some usage of rebrand[.]ly that redirects and download the bat file from cdn.discordapp.com.

1.5       APOMacroSploit

When we searched for the usernames that were in the BAT file names, we found an advertisement for a malware builder called APOMacroSploit. This is a macro exploit generator that allows the user to create an XLS file which bypasses AVs, Windows Defender, bypass AMSIs, Gmail and other mail phishing detection, and more.

This tool has a “WD disabler” option, which disables Windows Defender on the targeted machine before executing the payload, and a “WD exclusion” option, which adds the file to Windows Defender so it can bypass WD as well.

APOMacroSploit administrators justified their AV bypass claim with links from a questionable website: avcheck[.]net. Those links allege full none-detection (FUD) from AVs [Figure 7].  

Figure 7: avcheck[.]net on XLS created by the APOMacroSploit

APOMacroSploit is sold on HackForums.net by two users: Apocaliptique (Apo) and Nitrix.
We also found a Discord channel in which Nitrix is named as the tool developer and Apo is the admin:  https://discord.com/channels/764830353927569409/764832717267140629

Figure 8: Discord channel members

In this channel, both Nitrix and Apocaliptique assist buyers with how to use the tool.
Many of the customer nicknames visible on the download server were also found on the channel.

1.6      About the actors

For each customer, Apocaliptique and Nitrix created a BAT file to use in the attack (see the procedure description below):

This screenshot shows that not only did these hackers sell their attack tools, but they also participated in building and hosting the malware.

Figure 9: Apo Bypass team helps their customers.
Figure 10: Apo Bypass owns the hosting server seen above

Apocaliptique uses Apo Bypass YouTube channel to advertise his tool’s features.

Figure 11: Apo Bypass YouTube channel

As you can see, this YouTube channel subscribes to 55 other YouTube channels. One of these channels, called Ntx Stevy, attracted our attention because it has only 6 subscribers, including Apo Bypass.

Figure 12: Ntx Stevy YouTube channel

By drilling down a bit more, we found an old Skype address for the NTx Stevy channel, in the account name there is sequence of numbers, 93160, which is associated with a French area, Seine Saint Denis, and more specifically, Noisy-Le-Grand city.

Figure 13: Conversations inside the NTx Stevy YouTube channel

Another channel also showed us some interesting data:

Figure 14: Conversations inside the NTx & Stevy YouTube channel

But so far, there is no clear connection between Apo and Ntx Stevy.

We do, however, know that the developer of APOMacroSploit is called Nitrix.

By searching Nitrix’s conversations, we saw the following message:

Figure 15: Nitrix talking about LOL (League of Legends) on HackForums

So here is the first link from Nitrix to NTx.

Figure 16: Nitrix tweeting his Skype account

In this screenshot, it appears that the Skype account, we found before, on the YouTube comment, is associated with this Twitter page.

So Ntx Stevy is actually Nitrix and plays LOL (League of Legends) using the same summoner name! Nitrix and Apo even played games together:

Figure 17: Nitrix and Apocaliptique playing LOL (League of Legends) together

Now, the link becomes clear. This channel of 6 subscribers was followed by Apo because it belonged to his friend, developer Nitrix.

Finally, we found another Skype account (blurred in the picture) associated with Nitrix that confirms what we already know.

Figure 18: Another Skype account associated with Nitrix

By searching on Skype for Nitrix’s identity, we found his first name.

Figure 19: Nitrix Skype account

After digging in Nitrix Twitter account, we finally obtained his identity: he revealed his actual name when he posted a picture of a ticket he bought for a concert in December 2014:

Figure 20: Nitrix tweet

We looked for this name on social media and found an account on Facebook, which had the same picture. According to his Facebook account, Nitrix was indeed living in Noisy-Le-Grand.

Figure 21: Nitrix Facebook account

We tracked Nitrix LinkedIn page that shows where he studied and that he has 4 years’ worth of experience as a software developer.

Figure 22: Nitrix LinkedIn account

Now, let’s take a look at Apo, whose nickname in HackForums.net is “Apocaliptique.” Here we can see Apo using this nickname and responding to questions about his product:

Figure 23: Apocaliptique’s answers to potential customers on HackForums

We found out his Skype nickname: apocaliptique93.

We assume that Apocaliptique is a French resident like Nitrix. First, the language used in the advertisement videos is French (figure 11). Moreover, the pseudo he used above is either “apo93” or “apocaliptique93“ and as seen above, “93” is a common suffix for French citizens living in Seine Saint Denis.

Figure 24: Apocaliptique’s Skype nickname

We also saw that he plays and sells League of Legends accounts with this nickname and Skype name.

1.7      Example of APOMacroSploit usage by Mic12 :

This section describes in more detail an example of a popular second stage seen in several attacks related to this campaign.


Figure 25: Infection chain

1.7.1        The Document

The attacker sent via email with variety of subjects: поръчка за доставка (delivery order in Bulgarian),
bio tech inquiry, royal mail notification – 30/11/2020, boat inquiry.

The file names of the documents are corresponding to the email subject: spetsifikatsiya.xls, biotech.xls, royalmail.xls, boat.xls

Figure 26: screenshot of the XLS malicious file

1.7.2        Malware hosted server

One of the BAT files downloads the malware from the following location: hxxp://XXXXXXXX/royal1/helper/gd/zt/fola[.]exe. This is a Bulgarian website for medical equipment and supplies.

Figure 27: Bulgarian website home page

The website looks legitimate and might have been hacked by the attacker to store the malware:

Figure 28: Malware stored on the Bulgarian website

1.7.3        The Malware

The malware in question is a DelphiCrypter followed by a BitRAT.

Anti-detection mechanisms

The DelphiCrypter came with a number of anti-analysis techniques that didn’t fool our engines. Among them:

  • A call of RtlAddVectorizedExceptionHandler followed by a division by 0 to generate a crash to disrupt debuggers.
  • Check of the BeingDebugged flag.
  • QueryInformationProcess call with the argument 0h1E / 0h1F to search for debuggers.
  • A search for the keywords « sample », « malware » or « sandbox » in the path location of the malware. If found, the execution stops.
  • Search for a set of antivirus or analysis programs. If they are running, the execution stops :

List of antiviruses and analysis programs:

  • Avast
    • Avastui.exe
    • Avastsvc.exe
    • Aswidsagent.exe
  • kaspersky
    • Avgsvc.exe
    • Avgui.exe
  • AVP
    • Avp.exe
  • Bit Defender
    • Bdwtxag.exe
    • Bdagent.exe
  • Windows Defender
    • Msmpeng
    • Mpcmdrun
    • Nissrv.exe
  • Dr Web
    • Dwengine.exe
  • ESET
    • Equiproxy
    • Ekrn
  • Analysis tools
    • Procexp.exe
    • Windbg.exe
    • Procmon.exe
    • Ollydbg.exe
  • Multiple delays of the malware execution.

Persistency

A Notepad.exe injected shellcode drops a VBS file in the startup folder to ensure the malware persistency.

Figure 29: VBS file in the startup folder

 

Figure 30: Content of the VBS dropped file

Then, the notepad shellcode starts the malicious ernm.exe.

Figure 31: Duplicate the malware at the persistence path

This ernm.exe malware is statically identical to fola.exe. During its execution, it compares its path with %appdata%/Roaming/rtgb/ernm.exe. If it is equal, it unpacks itself to a BitRAT. (MD5 : B6AD351A3EA35CAE710E124021A77CA8)

Figure 32: BitRAT advertisement

 

Figure 33: Example of BitRAT Attacker dashboard

The BitRAT functionalities include:

  • SSL encryption
  • XMR mining
  • Webcam hacking
  • Remote control
  • Keylogging
  • Download and upload of files
  • Compatibility with TOR

1.7.4        The C&C

The C&C of this malware is located at the following IP: 185[.]157[.]161[.]109

This IP was resolved to a domain, which is a sub domain of a legitimate Bulgarian website for video surveillance systems.

Figure 34: The Bulgarian website

1.8      Protections

Check Point customers are protected against this attack.

SandBlast Network

  • Trojan.Wind.Generic.A/H/F
  • RAT.Win.BitRat.A
  • Signature_xlm_char_macro_4
  • Signature_xlm_macro_4_concat_exec
  • AP.malicious.xls.a

1.9      IOCs

Document:

  • 37951f4d601c647c284a431b582f5aebc3d0e13e
  • 0f7901078941f167b318f4fb37349503ec62b45d
  • e4b03e2689bf54d97195c4b1bf94d7e047fb0926
  • e56157faa2d9c5c9a0a30f321b442794860576e0
  • 2b753299c8824cc1dd0c48c2552e67df2db0800a
  • 583e84e1376147dfc21bab53026cd2bd0250dca5
  • e14e89d16fb6632659ffe2bb2b8b82741ace5478
  • fea838fecb16a23717429f25967b5d9f21b9b5f8
  • 4e6c98140eeb64351740e7b62e6863659abbb591
  • cdb97b35bdedcb6318cf6ed11b706a12df2e95be
  • d05bb0a47b5f43ae9c2ffd72c9245ee6675bc798
  • ee5dc839a6565d26b6eb8d07744c4886f646721d
  • f8f92986f49a19f58a3114a19f4c0af48ab59e43
  • 1d884a8beb4f84a6a5fb12dd9d3b3ff3108b6874
  • 6ebb625de65f3a8ce66122d10dcccdfad8cdf5d6
  • d529134cdf6837081ead1219a74128e5ccb31ce9
  • 6cb9af64cb0c86ca2238e01d1452b9d6513b7ea3
  • 9529b21240d9986c32527a589d38029c608dd253
  • 433144bc02374a186ffcb91d3beaabcba0cd160d
  • c3b19195228f75b437a9c5b3df2028df1b1cbdc5
  • eca08346b447fc927fdad8cc944178e85c83496a
  • 129226d22bb541495ff427e9f4a421cb09557a12
  • 9809ea270285d08732dacc3ca572d9d272fec6fa
  • 1982ba2694cd6b25bb057f89b29ded8225c997cd
  • 0f7901078941f167b318f4fb37349503ec62b45d
  • 0b6cb46c92dbb0075f2524c8397e44236c37eebd
  • 25ed4d9fca33c1ccdf6b6a6793df14d2e07e5e97
  • 3a4e2469a56dcd0b9a287f8bde8be78aec6ab397

Malwares:

  • a359796eacef161e75ce3f5094e1dd2bff37389c
  • 9a8b2be1f45b4d3d5a9a772ce45a01caa0a1b6e2

C&Cs:

  • 185[.]157[.]161[.]109
  • 185[.]57[.]162[.]81