# ApoMacroSploit : Apocalyptical FUD race **[research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/](https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/)** February 16, 2021 ## 1.1 Introduction February 16, 2021 At the end of November, Check Point Research detected a new Office malware builder called APOMacroSploit, which was implicated in multiple malicious emails to more than 80 customers worldwide. In our investigation, we found that this tool includes features to evade detection by Windows Defender and is updated daily to ensure low detection rates. In this article, we reveal the threat actors’ malicious intentions and disclose the real identity of one attacker. We reported this information to the relevant law enforcement authorities. The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script. Based on the number of customers and the lowest option price for this product, we estimate that the two main threat actors made at least $5000 in 1.5 months, just by selling the APOMacroSploit product ----- We followed multiple cases of attacks related to this tool, which we discuss here, and we describe a popular RAT used in this campaign to control the victim’s machine remotely and steal information. ## 1.2 The campaign _Figure 1: Graph of the total number of attacks_ Approximately 40 different hackers are involved in this campaign, and utilize 100 different email senders in the attacks. Overall, our telemetry reports attacks occurred in more than 30 different countries. ## 1.3 The malicious document The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt.ly: _Figure 2: Malicious Macro4.o obfuscated_ _Figure 3: Malicious Macro4.0 deobfuscated_ The execution of the command “attrib” enables the BAT script to hide in the victim’s machine. We assume the reordering of the PowerShell instructions via the Start-Sleep command (visible after deobfuscation) is seen by the attacker as another static evasion. ----- ## 1.4 BAT file downloaded from cutt.ly website At this stage of the attack, the attackers made a key mistake. The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. These servers host the BAT files: For each file, the nickname of the customer was inserted inside of the filename (the list can be seen below). _Figure 4: hxxp://193[.]239[.]147[.]76/bat_ _content_ Zombie99, seen in the file name, is the nickname of one of the attackers. From this, we obtained a list of all customers’ nicknames. COLAFORCE1010 moonlight kingshakes ZaiTsev motolux laudable apo93 nitrix legranducki bambobimpel nullptr libinvip bawbaw pr3torian makaveli bayalbatros retroferon mcavy birchfresh rroki123 mcdon boblarsers2 siemaziuta mcoode55 ----- borah silenthide mic12 btcjune skiw53 mikky centank slipperynick xavierdev covv somasekharraddyn zilla07 crownking spicytorben zombie99 danmill5241 t5samsung2020 demomode thecabal1 [[email protected]](https://research.checkpoint.com/cdn-cgi/l/email-protection#0563777c646b6176606969456268646c692b666a68) duksquad tozmac jew frankie777 warlords jonathanandy77 fteenetx xaa _Figure 5: List of customers_ The BAT script file checks which Windows version the victim has and downloads fola.exe if the version is: Windows 10 Windows 8.1 Windows 8 Windows 7 It adds the malware location in the exclusion path of Windows Defender, bypasses UAC and then executes the malware. _Figure 6 : Bat File_ In addition, We also noticed some usage of rebrand[.]ly that redirects and download the bat file from cdn.discordapp.com. ## 1.5 APOMacroSploit ----- When we searched for the usernames that were in the BAT file names, we found an advertisement for a malware builder called APOMacroSploit. This is a macro exploit generator that allows the user to create an XLS file which bypasses AVs, Windows Defender, bypass AMSIs, Gmail and other mail phishing detection, and more. This tool has a “WD disabler” option, which disables Windows Defender on the targeted machine before executing the payload, and a “WD exclusion” option, which adds the file to Windows Defender so it can bypass WD as well. APOMacroSploit administrators justified their AV bypass claim with links from a questionable website: avcheck[.]net. Those links allege full none-detection (FUD) from AVs [Figure 7]. _Figure 7: avcheck[.]net on XLS created by the APOMacroSploit_ APOMacroSploit is sold on HackForums.net by two users: Apocaliptique (Apo) and Nitrix. We also found a Discord channel in which Nitrix is named as the tool developer and Apo is the admin: https://discord.com/channels/764830353927569409/764832717267140629 ----- _Figure 8: Discord channel members_ In this channel, both Nitrix and Apocaliptique assist buyers with how to use the tool. Many of the customer nicknames visible on the download server were also found on the channel. ## 1.6 About the actors For each customer, Apocaliptique and Nitrix created a BAT file to use in the attack (see the procedure description below): This screenshot shows that not only did these hackers sell their attack tools, but they also participated in building and hosting the malware. ----- _Figure 9: Apo Bypass team helps their customers._ _Figure 10: Apo Bypass owns the hosting server seen above_ Apocaliptique uses Apo Bypass YouTube channel to advertise his tool’s features. ----- _Figure 11: Apo Bypass YouTube channel_ As you can see, this YouTube channel subscribes to 55 other YouTube channels. One of these channels, called Ntx Stevy, attracted our attention because it has only 6 subscribers, including Apo Bypass. _Figure 12: Ntx Stevy YouTube channel_ ----- By drilling down a bit more, we found an old Skype address for the NTx Stevy channel, in the account name there is sequence of numbers, 93160, which is associated with a French area, Seine Saint Denis, and more specifically, Noisy-Le-Grand city. _Figure 13: Conversations inside the NTx Stevy YouTube channel_ Another channel also showed us some interesting data: _Figure 14: Conversations inside the NTx & Stevy YouTube channel_ But so far, there is no clear connection between Apo and Ntx Stevy. We do, however, know that the developer of APOMacroSploit is called Nitrix. By searching Nitrix’s conversations, we saw the following message: _Figure 15: Nitrix talking about LOL (League of Legends) on_ _HackForums_ So here is the first link from Nitrix to NTx. ----- _Figure 16: Nitrix tweeting his Skype account_ In this screenshot, it appears that the Skype account, we found before, on the YouTube comment, is associated with this Twitter page. So Ntx Stevy is actually Nitrix and plays LOL (League of Legends) using the same summoner name! Nitrix and Apo even played games together: _Figure 17: Nitrix and Apocaliptique playing LOL (League of Legends) together_ Now, the link becomes clear. This channel of 6 subscribers was followed by Apo because it belonged to his friend, developer Nitrix. Finally, we found another Skype account (blurred in the picture) associated with Nitrix that confirms what we already know. ----- _Figure 18: Another_ _Skype account associated with Nitrix_ By searching on Skype for Nitrix’s identity, we found his first name. _Figure 19: Nitrix Skype account_ After digging in Nitrix Twitter account, we finally obtained his identity: he revealed his actual name when he posted a picture of a ticket he bought for a concert in December 2014: ----- _Figure 20: Nitrix tweet_ We looked for this name on social media and found an account on Facebook, which had the same picture. According to his Facebook account, Nitrix was indeed living in Noisy-LeGrand. _Figure 21:_ _Nitrix Facebook account_ We tracked Nitrix LinkedIn page that shows where he studied and that he has 4 years’ worth of experience as a software developer. ----- _Figure 22: Nitrix LinkedIn account_ Now, let’s take a look at Apo, whose nickname in HackForums.net is “Apocaliptique.” Here we can see Apo using this nickname and responding to questions about his product: _Figure 23: Apocaliptique’s answers to potential customers on HackForums_ We found out his Skype nickname: apocaliptique93. ----- We assume that Apocaliptique is a French resident like Nitrix. First, the language used in the advertisement videos is French (figure 11). Moreover, the pseudo he used above is either “apo93” or “apocaliptique93“ and as seen above, “93” is a common suffix for French citizens living in Seine Saint Denis. _Figure 24: Apocaliptique’s Skype nickname_ We also saw that he plays and sells League of Legends accounts with this nickname and Skype name. ## 1.7 Example of APOMacroSploit usage by Mic12 : This section describes in more detail an example of a popular second stage seen in several attacks related to this campaign. _Figure 25: Infection chain_ **1.7.1 The Document** ----- The attacker sent via email with variety of subjects: поръчка за доставка (delivery order in Bulgarian), bio tech inquiry, royal mail notification – 30/11/2020, boat inquiry. The file names of the documents are corresponding to the email subject: spetsifikatsiya.xls, biotech.xls, royalmail.xls, boat.xls _Figure 26: screenshot of the XLS malicious file_ **1.7.2 Malware hosted server** One of the BAT files downloads the malware from the following location: hxxp://XXXXXXXX/royal1/helper/gd/zt/fola[.]exe. This is a Bulgarian website for medical equipment and supplies. _Figure 27: Bulgarian website home page_ The website looks legitimate and might have been hacked by the attacker to store the malware: ----- _Figure 28: Malware stored on the Bulgarian website_ **1.7.3 The Malware** The malware in question is a DelphiCrypter followed by a BitRAT. **Anti-detection mechanisms** The DelphiCrypter came with a number of anti-analysis techniques that didn’t fool our engines. Among them: A call of RtlAddVectorizedExceptionHandler followed by a division by 0 to generate a crash to disrupt debuggers. Check of the BeingDebugged flag. QueryInformationProcess call with the argument 0h1E / 0h1F to search for debuggers. ----- A search for the keywords « sample », « malware » or « sandbox » in the path location of the malware. If found, the execution stops. Search for a set of antivirus or analysis programs. If they are running, the execution stops : List of antiviruses and analysis programs: Avast Avastui.exe Avastsvc.exe Aswidsagent.exe kaspersky Avgsvc.exe Avgui.exe AVP Avp.exe Bit Defender Bdwtxag.exe Bdagent.exe ----- Windows Defender Msmpeng Mpcmdrun Nissrv.exe Dr Web Dwengine.exe ESET Equiproxy Ekrn Analysis tools Procexp.exe Windbg.exe Procmon.exe Ollydbg.exe Multiple delays of the malware execution. **Persistency** A Notepad.exe injected shellcode drops a VBS file in the startup folder to ensure the malware persistency. _Figure 29: VBS file in the startup folder_ _Figure 30: Content of the VBS dropped file_ Then, the notepad shellcode starts the malicious ernm.exe. _Figure 31: Duplicate the malware at the persistence path_ ----- This ernm.exe malware is statically identical to fola.exe. During its execution, it compares its path with %appdata%/Roaming/rtgb/ernm.exe. If it is equal, it unpacks itself to a BitRAT. (MD5 : B6AD351A3EA35CAE710E124021A77CA8) Figure 32: BitRAT advertisement _Figure 33: Example of BitRAT Attacker dashboard_ The BitRAT functionalities include: ----- SSL encryption XMR mining Webcam hacking Remote control Keylogging Download and upload of files Compatibility with TOR ### 1.7.4 The C&C The C&C of this malware is located at the following IP: 185[.]157[.]161[.]109 This IP was resolved to a domain, which is a sub domain of a legitimate Bulgarian website for video surveillance systems. _Figure 34: The Bulgarian website_ ## 1.8 Protections Check Point customers are protected against this attack. [SandBlast Network](https://www.checkpoint.com/products/advanced-network-threat-prevention/) Trojan.Wind.Generic.A/H/F RAT.Win.BitRat.A Signature_xlm_char_macro_4 Signature_xlm_macro_4_concat_exec AP.malicious.xls.a ## 1.9 IOCs **Document:** 37951f4d601c647c284a431b582f5aebc3d0e13e ----- 0f7901078941f167b318f4fb37349503ec62b45d e4b03e2689bf54d97195c4b1bf94d7e047fb0926 e56157faa2d9c5c9a0a30f321b442794860576e0 2b753299c8824cc1dd0c48c2552e67df2db0800a 583e84e1376147dfc21bab53026cd2bd0250dca5 e14e89d16fb6632659ffe2bb2b8b82741ace5478 fea838fecb16a23717429f25967b5d9f21b9b5f8 4e6c98140eeb64351740e7b62e6863659abbb591 cdb97b35bdedcb6318cf6ed11b706a12df2e95be d05bb0a47b5f43ae9c2ffd72c9245ee6675bc798 ee5dc839a6565d26b6eb8d07744c4886f646721d f8f92986f49a19f58a3114a19f4c0af48ab59e43 1d884a8beb4f84a6a5fb12dd9d3b3ff3108b6874 6ebb625de65f3a8ce66122d10dcccdfad8cdf5d6 d529134cdf6837081ead1219a74128e5ccb31ce9 6cb9af64cb0c86ca2238e01d1452b9d6513b7ea3 9529b21240d9986c32527a589d38029c608dd253 433144bc02374a186ffcb91d3beaabcba0cd160d c3b19195228f75b437a9c5b3df2028df1b1cbdc5 eca08346b447fc927fdad8cc944178e85c83496a 129226d22bb541495ff427e9f4a421cb09557a12 9809ea270285d08732dacc3ca572d9d272fec6fa 1982ba2694cd6b25bb057f89b29ded8225c997cd 0f7901078941f167b318f4fb37349503ec62b45d 0b6cb46c92dbb0075f2524c8397e44236c37eebd 25ed4d9fca33c1ccdf6b6a6793df14d2e07e5e97 3a4e2469a56dcd0b9a287f8bde8be78aec6ab397 **Malwares:** a359796eacef161e75ce3f5094e1dd2bff37389c 9a8b2be1f45b4d3d5a9a772ce45a01caa0a1b6e2 **C&Cs:** 185[.]157[.]161[.]109 185[.]57[.]162[.]81 -----