Cheap crimeware kits help wannabe hackers get into the malware business

Latest kit costs $40 a month and allows users to conduct mass campaigns.
Written by Danny Palmer, Senior Writer

See also

    A new crimeware kit for sale on a hacking forum is offering aspiring cybercriminals a cheap way to launch malware spam campaigns.

    Uncovered by researchers at Flashpoint, the kit was first offered for sale in February for $500; two months later, the price has already been reduced to just $120 for a three-month license.

    It's available on high-profile Russian-speaking and English-speaking underground forums and has been observed being used by various cybercriminal groups of different sizes, reflecting how easy it is for criminals to launch malware campaigns.

    It comes with a raft of enhanced features including encryption algorithm choices, download methods and payload models, indicating those behind it are putting work into updating and developing the illicit product.

    The kit, known as Rubella Macro Builder, isn't designed to deliver any particular payload, but rather allow users to distribute whatever they choose to deliver as widely as possible, with payloads able to be delivered via executable, JavaScript and Visual Basic Script.

    "The Rubella Macro Builder is designed to be used in massive spam campaigns, not to target any specific organisations or individuals. Most spammers cast as wide a net as possible to reach as many potential victims as possible," said Paul Burbage, malware researcher at Flashpoint.

    See also: What is malware? Everything you need to know about viruses, trojans and malicious software

    The malware can also bypass basic antivirus detection relying on Visual Basic Script obfuscation methods like XOR, Base64, and simple padding.

    Once installed on a system, the Rubella-generated malware acts as a first-stage loader for other malware installations and downloads onto infected machines. One form of malware seen to be delivered using this technique is the Panda banking Trojan - an offshoot of the Zeus family, while Gootkit has also been distributed using the kit.

    The malware is delivered to victims using phishing emails with Microsoft Word or Excel attachments, which use techniques such as asking users to 'enable content' to see the document. Of course, this is just a trick to encourage the users to enable macros so that the hidden malicious code can run and install itself on the machine.

    The phishing emails themselves follow the common themes of this sort of attack such as telling the victim they've missed a parcel delivery, but those using it can also build custom lures.

    While Rubella Macro Builder is described as unsophisticated, researchers say it still represents a threat to networks as it can bypass basic antivirus protection and that the whole package is appealing to cybercriminals because of its low price point. One known target of these attacks is said to be an Australian financial institution.

    The attacks have been successful, but researchers say that falling victim to Rubella Macro can be avoided by teaching users to "exercise caution with email messages that contain suspicious Microsoft Word or Excel attachments, which are the primary method of distributing Rubella-generated first-stage loaders".

    Flashpoint has detailed a list of Indicators of Compromise to aid organisations in their fight against the attacks.


    Editorial standards