Macro builder has been implicated in Panda and Gootkit campaigns

A crimeware kit that allows attackers to create custom malware delivery payloads is gaining popularity on the dark web, researchers have discovered.

Intelligence analysts at Flashpoint recently pulled focus on the Rubella Macro Builder, which allows the generation of Microsoft Word (.doc) and Microsoft Excel (.xls) payloads.

While the builder itself does not utilize any exploits, the software acts as a first-stage loader for malware downloads and installations on target machines, the researchers said.

First offered for sale in late February for $500 per month, Flashpoint said the macro builder has since undergone numerous updates, including various encryption algorithm choices, new download and payload execution methods, and new decoy themes for social engineering.

As of April, a three-month Rubella Macro Builder license was available on the dark web for just $120.

Flashpoint said Rubella had been utilized in the distribution of the Panda and Gootkit banking malware, which feature credential harvesting capabilities, browser infection through web injection, and remote device access via a hidden virtual network computing (VNC) module.

“Microsoft Office macro-based malware appears to still be threat actors’ preferred method for obtaining initial access to compromised machines,” the researchers stated.

“While relatively unsophisticated, the Rubella Macro Builder represents a moderate threat to various networks given its ability to defeat basic static antivirus detection. Its comparatively low pricing model may also add to the crimeware’s appeal.”