Some of the most dangerous threats that cybersecurity experts face manifest themselves in surprising areas. What I refer to is “script kiddies” or other individuals who are generally ignorant of the tools they use to “hack” their victims. Through the Dark Web, there are numerous underground forums where skiddies can buy anything from rootkits to ready-to-deploy botnets for DDoS attacks. This is the case with a new crimeware kit that is gaining traction in the cybercriminal world and popping up on the radar of security researchers. According to researchers at Flashpoint a crimeware kit, dubbed “Rubella,” has risen to popularity in hacking forums located in Eastern Europe (especially Russia). Reasons for the popularity of the Rubella crimeware kit include a relatively low price of $120, an ability to dodge basic AV scans, and a complex set of tools that include the following:
Various encryption algorithm choices ( XOR and Base64), download methods (PowerShell, Bitsadmin, Microsoft.XMLHTTP, MSXML2.XMLHTTP, custom PowerShell payload), payload execution methods (executable, JavaScript, Visual Basic Script), and the ability to easily deploy social engineering decoy themes with an Enable Content feature turned on to run the macro.
The way that the actual payload is distributed to the victim is via social engineering (presumably a guide is given to the customer in how to craft these emails). When the email in question is sent, it contains either a Microsoft Word or Excel document that, once the macro is enabled, will infect the machine.
I have written for some time about the persistent dangers of phishing emails with such attachments. I continue to write about them because the threat (as Rubella shows) is still effective and damaging. The Rubella crimeware kit has been linked, according to Flashpoint, to banking malware like Panda and Gootkit.
It is apparent that this kit allows malware downloads post-infection. In many ways, you can think of Rubella crimeware kit customers as pawns in a bigger crime game of chess perpetrated by the creators of the kit. They get access via their minions who purchased their crimeware, and are then able to make a bigger mess (most likely for financial gain) as a result.
To protect yourself, don’t enable macros from unknown sources and always patch your OS with new updates.
Photo credit: Shutterstock
