A 20-year-old man from the Netherlands accused of building and selling Office macro malware was arrested Wednesday.
The Dutch National Police's Office of the Team High Tech Crime (THTC) unit claimed the unnamed bloke, cuffed while on his computer as cops swooped on his home, was responsible for building, selling, and supporting the Rubella, Cetan, and Dryad malware kits.
The toolkits allowed criminals to build Office files with malicious macro code embedded in the documents. When the victim opened the file, usually delivered by spear-phishing or spam, the macro code would then proceed to download and open the malware payload.
While macro attacks are relatively old-school and don't generate headlines the way more exotic exploits and other forms of infection do, the poisoned documents remain a tried-and-true way for criminals to sneak malicious code onto victim machines, particularly at the enterprise level where workers are used to opening documents without much scrutiny. In this case, the macro kits were every bit as polished and professional as other crimeware packages, police said.
"The toolkit was marketed with colorful banners on different underground forums," said John Fokker and Thomas Roccia, two McAfee engineers who helped Dutch police track own the man.
"For the price of $500 per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice."
Recruiters considered really harmful: Devs on GitHub hit with booby-trapped fake job emailsREAD MORE
Despite the seemingly sophisticated offering, the McAfee team said the developer left some very big clues that helped investigators track him down. Specifically, his obvious ties to the Netherlands.
Fokker and Roccia said they had a breakthrough when the author posted to a forum a screenshot of his malware bypassing the anti-malware tools in a localized version of Windows.
"Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used," the pair explained. "Dutch is a very uncommon language, only a small percentage of the world’s population speaks it, let alone an even smaller percentage of cybercriminals who use it."
At that point, McAfee said, the team focused on clues in the metadata in the attack files. The THTC also joined in, and eventually they were able to trace the clues and screen names back to one individual in Utrecht.
After arrest, police said the man had collected around €20,000 in cryptocurrency from malware sales. That money has been seized as the suspect awaits trial. He was also in possession of card skimming information and the logins for thousands of websites, it is claimed. ®