Dutch cops collar fella accused of crafting and flogging Office macro nasties to cyber-crooks

Accused bloke cuffed after plod swoop on home

A 20-year-old man from the Netherlands accused of building and selling Office macro malware was arrested Wednesday.

The Dutch National Police's Office of the Team High Tech Crime (THTC) unit claimed the unnamed bloke, cuffed while on his computer as cops swooped on his home, was responsible for building, selling, and supporting the Rubella, Cetan, and Dryad malware kits.

The toolkits allowed criminals to build Office files with malicious macro code embedded in the documents. When the victim opened the file, usually delivered by spear-phishing or spam, the macro code would then proceed to download and open the malware payload.

While macro attacks are relatively old-school and don't generate headlines the way more exotic exploits and other forms of infection do, the poisoned documents remain a tried-and-true way for criminals to sneak malicious code onto victim machines, particularly at the enterprise level where workers are used to opening documents without much scrutiny. In this case, the macro kits were every bit as polished and professional as other crimeware packages, police said.

"The toolkit was marketed with colorful banners on different underground forums," said John Fokker and Thomas Roccia, two McAfee engineers who helped Dutch police track own the man.

"For the price of $500 per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice."


Recruiters considered really harmful: Devs on GitHub hit with booby-trapped fake job emails


Despite the seemingly sophisticated offering, the McAfee team said the developer left some very big clues that helped investigators track him down. Specifically, his obvious ties to the Netherlands.

Fokker and Roccia said they had a breakthrough when the author posted to a forum a screenshot of his malware bypassing the anti-malware tools in a localized version of Windows.

"Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used," the pair explained. "Dutch is a very uncommon language, only a small percentage of the world’s population speaks it, let alone an even smaller percentage of cybercriminals who use it."

At that point, McAfee said, the team focused on clues in the metadata in the attack files. The THTC also joined in, and eventually they were able to trace the clues and screen names back to one individual in Utrecht.

After arrest, police said the man had collected around €20,000 in cryptocurrency from malware sales. That money has been seized as the suspect awaits trial. He was also in possession of card skimming information and the logins for thousands of websites, it is claimed. ®

Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022