{"id":95824,"date":"2019-07-16T21:00:56","date_gmt":"2019-07-17T04:00:56","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=95824"},"modified":"2025-06-02T19:48:34","modified_gmt":"2025-06-03T02:48:34","slug":"mcafee-atr-aids-police-in-arrest-of-the-rubella-and-dryad-office-macro-builder-suspect","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/mcafee-atr-aids-police-in-arrest-of-the-rubella-and-dryad-office-macro-builder-suspect\/","title":{"rendered":"McAfee ATR Aids Police in Arrest of Rubella & Dryad Office Macro Builder"},"content":{"rendered":"

Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim\u2019s machine. Given the high success rate, malicious Office documents remain a preferred weapon in a cyber criminal\u2019s arsenal. To take advantage of this demand and generate revenue, some criminals decided to create off-the-shelf toolkits for building malicious Office documents. These toolkits are mostly offered for sale on underground cybercriminal forums.<\/p>\n

Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder. McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation. In the following blog we will explain some of the details we found that helped unmask the suspected actor behind the Rubella Macro Builder.<\/p>\n

What is an Office Macro Builder?<\/h2>\n

An Office Macro Builder is a toolkit designed to weaponize an Office document so it can deliver a malicious payload by the use an obfuscated macro code that purposely tries to bypass endpoint security defenses. By using a toolkit dedicated to this purpose, an actor can push out higher quantities of malicious documents and successfully outsource the first stage evasion and delivery process to a specialized third party. Below is an overview with the general workings of an Office Macro Builder. The Defense evasion shown here is specific to Rubella Office Macro Builder. Additional techniques can be found in other builders.<\/p>\n

\"\"<\/p>\n

Dutch Language OpSec fail\u2026.<\/h2>\n

Rubella Macro Builder is such a toolkit and was offered by an actor by the same nickname \u201cRubella\u201d. The toolkit was marketed with colorful banners on different underground forums. For the price of 500 US Dollars per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice.<\/p>\n

\"\"<\/p>\n

Rubella advertisement banner<\/em><\/p>\n

In one of Rubella\u2019s forum postings the actor was detailing the toolkit and that it managed to bypass the Windows Anti Malware Scan Interface (AMSI) present in Windows 10. To prove this success, the post contained a link to a screenshot. Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used. Dutch is a very uncommon language, only a small percentage of the world\u2019s population speaks it, let alone an even smaller percentage of cybercriminals who use it.<\/p>\n

\"\"<\/p>\n

The linked screenshot with the Dutch version of Microsoft Word.<\/em><\/p>\n

Interestingly enough we reported<\/a> last year on the individuals behind Coinvault ransomware. One of the reasons they got caught was the use of flawless Dutch in their code. With this in the back of our minds we decided to go deeper down the rabbit hole.<\/p>\n

Forum Research<\/h2>\n

We looked further into the large amount of posts by Rubella<\/em> to learn more about the person behind the builder. The actor Rubella<\/em> was actually promoting a variety of different, some self-written, products and services, ranging from (stolen) credit card data, a crypto wallet stealer and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.<\/p>\n

\"\"<\/p>\n

During our research we were able to link different nicknames used by the actor on several forums across a timespan of many years. Piecing it all together, Rubella showed a classic growth pattern of an aspiring cybercriminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.<\/p>\n

PDB path Breitling<\/h2>\n

One of the posts Rubella placed on a popular hacker forum was promoting a piece of free software the actor coded to spoof email. The posting contained a link to VirusTotal and included a SHA-256 hash of the software. This gained our interest since it provided a possibility to link the adversary to the capability.<\/p>\n

\"\"<\/p>\n

Email spoofer posting including the VirusTotal link\u00a0 <\/em><\/p>\n

Closer examination of the piece of software on VirusTotal showed that the mail Spoofer contained a debug or PDB path \u201cC:\\Users\\Breitling\u201d. Even though the username Breitling isn\u2019t very revealing about an actual person, leaving such a specific PDB path within malware is a classic mistake.<\/p>\n

\"\"<\/p>\n

By pivoting on the specific PDB path we found additional samples on VirusTotal, including a file that was named RubellaBuilder.exe, which was a version of the Macro builder that Rubella was offering. Later in the blog post we will take a closer look at the builder itself.<\/p>\n

\"\"<\/p>\n

Finding additional samples with the Breitling PDB path<\/em><\/p>\n

Since Breitling was most likely the username used on the development machine, we were wondering if we could find Office documents that were crafted on the same machine and thus also containing the author name Breitling. We found an Office document with Breitling as author and the document happened to be created with a Dutch version of Microsoft Word.<\/p>\n

\"\"<\/p>\n

The Word document containing the author name Breitling.<\/em><\/p>\n

Closer inspection of the content of the Word document revealed that it also contained a string with the familiar Jabber account of Rubella<\/em>; Rubella(@)exploit.im.<\/p>\n

\"\"<\/p>\n

The Malicious document containing the string with the actor\u2019s jabber account.<\/em><\/p>\n

Circling back to the forums we found an older posting under one of the nicknames we could link to Rubella. In this posting the actor is asking for advice on how to add a registry key using C#. They placed another screenshot to show the community what they were doing. This behavior clearly shows a lack of skill but at the same time his thirst for knowledge.<\/p>\n

\"\"<\/p>\n

Older posting where the actor asks for help.<\/em><\/p>\n

A closer look at the screenshot revealed the same PDB path C:\\Users\\Breitling\\.<\/p>\n

\"\"<\/p>\n

Screenshot with the Breitling PDB path<\/em><\/p>\n

Chatting with Rubella<\/h2>\n

Since Rubella<\/em> was quite extroverted on the underground forums and had stated Jabber contact details in advertisements we decided to carefully initiate contact with him in the hope that we would get access to some more information. About a week after we added Rubella<\/em> to our Jabber contact list, we received a careful \u201cHi.\u201d We started talking and posing as a potential buyer, carefully mentioning our interest the Rubella Macro Builder. During this chat Rubella<\/em> was quite responsive and as a real businessperson, mentioned that he was offering a new \u201cmore exclusive\u201d Macro Builder named Dryad. Rubella<\/em> proceeded to share a screenshot of Dryad with us.<\/p>\n

\"\"<\/p>\n

Screenshot of Dryad shared by Rubella<\/em><\/p>\n

\u00a0<\/em>Eventually we ended our conversation in a friendly manner and told Rubella we would be in touch if we remained interested.<\/p>\n

Dryad Macro Builder<\/h2>\n

Based on the information provided from the chat with Rubella we performed a quick search for Dryad Macro Builder. We eventually found a sample of the Dryad Macro Builder and decided to further analyze this sample and compare it for overlap with the Rubella Macro Builder.<\/p>\n

PE Summary<\/h3>\n

\"\"<\/p>\n

We noticed that the program was coded in .NET Assembly which is usually a preferred language for less skilled malware coders.<\/p>\n

Dynamic Analysis<\/h3>\n

When we ran the application, it asked us to enter a login and password in order to run.<\/p>\n

\"\"<\/p>\n

We also noticed a number-generated HWID (Hardware-ID) that was always the same when running the app. The HWID number is a unique identifier specific to the machine it was running on and was used to register the app.<\/p>\n

When trying to enter a random name we detected a remote connection to the website \u2018hxxps:\/\/tailoredtaboo.com\/auth\/check.php\u2019 to verify the license.<\/p>\n

\"\"<\/p>\n

The request is made with the following parameters \u2018hwid=<HWID>&username=<username>&password=<password>\u2019.<\/p>\n

Once the app is running and registered it shows the following interface.<\/p>\n

\"\"<\/p>\n

In this interface it is possible to see the function proposed by the app and it was similar to the screenshot that was shared during our chat.<\/p>\n

Basically, the tool allows the following:<\/p>\n