At the end of November, Check Point Research detected a new Office malware builder called APOMacroSploit, which was implicated in multiple malicious emails to more than 80 customers worldwide.
In our investigation, we found that this tool includes features to evade detection by Windows Defender and is updated daily to ensure low detection rates. In this article, we reveal the threat actors’ malicious intentions and disclose the real identity of one attacker. We reported this information to the relevant law enforcement authorities.
The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script.
Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product.
We followed multiple cases of attacks related to this tool, which we discuss here, and we describe a popular RAT used in this campaign to control the victim’s machine remotely and steal information.
1.2 The campaign
Approximately 40 different hackers are involved in this campaign, and utilize 100 different email senders in the attacks. Overall, our telemetry reports attacks occurred in more than 30 different countries.
1.3 The malicious document
The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt.ly:
The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion.
1.4 BAT file downloaded from cutt.ly website
At this stage of the attack, the attackers made a key mistake. The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. These servers host the BAT files:
For each file, the nickname of the customer was inserted inside of the filename (the list can be seen below).
Zombie99, seen in the file name, is the nickname of one of the attackers.
From this, we obtained a list of all customers’ nicknames.
The BAT script file checks which Windows version the victim has and downloads fola.exe if the version is:
It adds the malware location in the exclusion path of Windows Defender, bypasses UAC and then executes the malware.
Figure 6 : Bat File
In addition, We also noticed some usage of rebrand[.]ly that redirects and download the bat file from cdn.discordapp.com.
When we searched for the usernames that were in the BAT file names, we found an advertisement for a malware builder called APOMacroSploit. This is a macro exploit generator that allows the user to create an XLS file which bypasses AVs, Windows Defender, bypass AMSIs, Gmail and other mail phishing detection, and more.
This tool has a “WD disabler” option, which disables Windows Defender on the targeted machine before executing the payload, and a “WD exclusion” option, which adds the file to Windows Defender so it can bypass WD as well.
APOMacroSploit administrators justified their AV bypass claim with links from a questionable website: avcheck[.]net. Those links allege full none-detection (FUD) from AVs [Figure 7].
APOMacroSploit is sold on HackForums.net by two users: Apocaliptique (Apo) and Nitrix. We also found a Discord channel in which Nitrix is named as the tool developer and Apo is the admin: https://discord.com/channels/764830353927569409/764832717267140629
In this channel, both Nitrix and Apocaliptique assist buyers with how to use the tool. Many of the customer nicknames visible on the download server were also found on the channel.
1.6 About the actors
For each customer, Apocaliptique and Nitrix created a BAT file to use in the attack (see the procedure description below):
This screenshot shows that not only did these hackers sell their attack tools, but they also participated in building and hosting the malware.
Apocaliptique uses Apo Bypass YouTube channel to advertise his tool’s features.
As you can see, this YouTube channel subscribes to 55 other YouTube channels. One of these channels, called Ntx Stevy, attracted our attention because it has only 6 subscribers, including Apo Bypass.
By drilling down a bit more, we found an old Skype address for the NTx Stevy channel, in the account name there is sequence of numbers, 93160, which is associated with a French area, Seine Saint Denis, and more specifically, Noisy-Le-Grand city.
Another channel also showed us some interesting data:
But so far, there is no clear connection between Apo and Ntx Stevy.
We do, however, know that the developer of APOMacroSploit is called Nitrix.
By searching Nitrix’s conversations, we saw the following message:
So here is the first link from Nitrix to NTx.
In this screenshot, it appears that the Skype account, we found before, on the YouTube comment, is associated with this Twitter page.
So Ntx Stevy is actually Nitrix and plays LOL (League of Legends) using the same summoner name! Nitrix and Apo even played games together:
Now, the link becomes clear. This channel of 6 subscribers was followed by Apo because it belonged to his friend, developer Nitrix.
Finally, we found another Skype account (blurred in the picture) associated with Nitrix that confirms what we already know.
By searching on Skype for Nitrix’s identity, we found his first name.
After digging in Nitrix Twitter account, we finally obtained his identity: he revealed his actual name when he posted a picture of a ticket he bought for a concert in December 2014:
We looked for this name on social media and found an account on Facebook, which had the same picture. According to his Facebook account, Nitrix was indeed living in Noisy-Le-Grand.
We tracked Nitrix LinkedIn page that shows where he studied and that he has 4 years’ worth of experience as a software developer.
Now, let’s take a look at Apo, whose nickname in HackForums.net is “Apocaliptique.” Here we can see Apo using this nickname and responding to questions about his product:
We found out his Skype nickname: apocaliptique93.
We assume that Apocaliptique is a French resident like Nitrix. First, the language used in the advertisement videos is French (figure 11). Moreover, the pseudo he used above is either “apo93” or “apocaliptique93“ and as seen above, “93” is a common suffix for French citizens living in Seine Saint Denis.
We also saw that he plays and sells League of Legends accounts with this nickname and Skype name.
1.7 Example of APOMacroSploit usage by Mic12 :
This section describes in more detail an example of a popular second stage seen in several attacks related to this campaign.
1.7.1 The Document
The attacker sent via email with variety of subjects: поръчка за доставка (delivery order in Bulgarian), bio tech inquiry, royal mail notification – 30/11/2020, boat inquiry.
The file names of the documents are corresponding to the email subject: spetsifikatsiya.xls, biotech.xls, royalmail.xls, boat.xls
1.7.2 Malware hosted server
One of the BAT files downloads the malware from the following location: hxxp://XXXXXXXX/royal1/helper/gd/zt/fola[.]exe. This is a Bulgarian website for medical equipment and supplies.
The website looks legitimate and might have been hacked by the attacker to store the malware:
1.7.3 The Malware
The malware in question is a DelphiCrypter followed by a BitRAT.
The DelphiCrypter came with a number of anti-analysis techniques that didn’t fool our engines. Among them:
A call of RtlAddVectorizedExceptionHandler followed by a division by 0 to generate a crash to disrupt debuggers.
Check of the BeingDebugged flag.
QueryInformationProcess call with the argument 0h1E / 0h1F to search for debuggers.
A search for the keywords « sample », « malware » or « sandbox » in the path location of the malware. If found, the execution stops.
Search for a set of antivirus or analysis programs. If they are running, the execution stops :
List of antiviruses and analysis programs:
Multiple delays of the malware execution.
A Notepad.exe injected shellcode drops a VBS file in the startup folder to ensure the malware persistency.
Then, the notepad shellcode starts the malicious ernm.exe.
This ernm.exe malware is statically identical to fola.exe. During its execution, it compares its path with %appdata%/Roaming/rtgb/ernm.exe. If it is equal, it unpacks itself to a BitRAT. (MD5 : B6AD351A3EA35CAE710E124021A77CA8)
The BitRAT functionalities include:
Download and upload of files
Compatibility with TOR
1.7.4 The C&C
The C&C of this malware is located at the following IP: 185[.]157[.]161[.]109
This IP was resolved to a domain, which is a sub domain of a legitimate Bulgarian website for video surveillance systems.
Check Point customers are protected against this attack.