A new crimeware kit dubbed the Rubella Macro Builder is rapidly gaining popularity in the cybercriminal underground, experts already spotted its malware in the wild.

A new crimeware kit dubbed the Rubella Macro Builder is rapidly gaining popularity in the cybercriminal underground. The Rubella Macro Builder allows crooks to generate a malicious payload for social-engineering spam campaigns, crooks are offering it as a service for a three-month license of $120.

“While newer versions of the builder are significantly cheaper—as of April, a three-month license is $120 USD—they also come with enhanced features including various encryption algorithm choices ( XOR and Base64), download methods (PowerShell, Bitsadmin, Microsoft.XMLHTTP, MSXML2.XMLHTTP, custom PowerShell payload), payload execution methods (executable, JavaScript, Visual Basic Script), and the ability to easily deploy social engineering decoy themes with an Enable Content feature turned on to run the macro.” reads the analysis published by Flashpoint.

According to Flashpoint researches, Rubella is not particularly sophisticated, the builder is used to create Microsoft Word or Excel weaponized documents to use in spam email. The Rubella-generated malware acts as a first-stage loader for other malware.

The Rubella Macro Builder is cheap, fast and easy to use, the malware it generated can evade antivirus detection.

According to Flashpoint experts, also popular criminal gangs are using Rubella malware in their campaign, for example, the criminal crews behind the Panda and Gootkit banking malware.

“The macro junk and substitution method appears to be relatively primitive, relying on basic string substitutions. Additionally, its copy/paste implementation of the Base64 algorithm is displayed in Visual Basic Script (VBS) code implementation. The code is obfuscated through general Chr ASCII values.” continues the analysis.

Crooks continues to use weaponized documents for their campaigns, builders for Microsoft Office-based loader malware are a precious commodity in the underground.

Flashpoint also published the indicators of compromise (IOCs) for the Rubella macro builder here.

Pierluigi Paganini

(Security Affairs – Rubella Macro Builder, malware)

Share this...

Linkedin Reddit Pinterest

Share On