Suspected malicious MS Office tool maker arrested

Dutch police have announced the recent arrest of a 20-year-old man in Utrecht in connection with the large-scale production and sale of malware toolkits after he was tracked down via several hacker forums despite using several aliases.

The man is specifically suspected of building and selling a criminal toolkit called the Rubella macro builder, which was detected in the wild by researchers at security firm McAfee.

An Office macro builder is a toolkit designed to weaponise a Microsoft Office document so it can deliver a malicious payload using an obfuscated macro code that purposely tries to bypass endpoint security defences, according to McAfee researchers.

“By using a toolkit dedicated to this purpose, an actor can push out higher quantities of malicious documents and successfully outsource the first-stage evasion and delivery process to a specialised third party,” the researchers wrote in a blog post.

In view of the ongoing investigation, Dutch police said the arrest could not be disclosed earlier and acknowledged assistance in the investigation by two private companies, including McAfee, whose researchers traced and contacted the suspect, who offered them another “more exclusive” macro builder that he called Dryad.

The police said the suspect had sold malicious macro toolkits for hundreds and even thousands of euros at a time to hackers seeking to exploit Office documents to spread malware.

The macro builder is designed to create documents in such a way that they would not usually be detected by anti-malware systems.

Distribution of such malware generally takes place via an email containing an infected document as an attachment.

The message in the mail is typically designed to inspire confidence in the potential victims and to encourage them to open the attachment.

To defend against this kind of attack, the Dutch police said the advice is not to open, view or download such files and to ensure all security software is updated.

The suspect was allegedly found in possession of data about dozens of credit cards and manuals on credit card fraud known as carding. The man was also said to have possessed access credentials for thousands of websites.

The suspect had also collected about €20,000 in cryptocurrency such as bitcoin, which was seized by police.

The investigation into further amounts the man may have unlawfully earned will continue, the police said, adding that a trial date has not yet been set.

Given their high success rate, malicious Office documents remain a preferred weapon in a cyber criminal’s arsenal, according to the McAfee researchers.

“Every day, thousands of people receive emails with malicious attachments in their email inbox,” they said. “Disguised as a missed payment or an invoice, a cyber criminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine.”

To take advantage of this demand and generate revenue, some criminals create off-the-shelf toolkits for building malicious Office documents, the researchers said. These toolkits are mostly offered for sale on underground cyber criminal forums, as the man from Utrecht is suspected of doing.

John Fokker, head of cyber investigations at McAfee, said: “Toolkits that build weaponised Office documents, like Dryad and Rubella, cater to the increasing cyber criminal demand of this type of infection vector.

“Based on his activity, the suspect looked like quite the cyber criminal entrepreneur, but, given his young age, it also makes one wonder – if only he had used his skills for good. The lure of quick cash was apparently more enticing than building a solid, long-term career. We at McAfee never like to see young, talented individuals heading down a dark path.”

Fokker added: “The takedown also serves as an important reminder of the power of threat intelligence-sharing between the private and the public sector. Cyber forensics is by no means a simple process. However, when the pieces of the puzzle align, it is only through collaboration with law enforcement that takedowns can happen.”