The Rubella Macro Builder has recently become popular in Russia. It is a cybercrimeware kit apparently capable of beating a basic antivirus defensive system.
It is not a particularly sophisticated kit. Users renting it have to send out mail with Microsoft Word or Excel mail attachments aiming for their targets to enable malicious macros, which generate first-stage loader malware that can then be used for subsequent downloads and installations on victimized machines. It does not exploit any system vulnerabilities, but relies on convincing the victim to open the malicious attachments.
“Despite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: it’s cheap, fast and can defeat basic static antivirus detection,” said the Flashpoint researchers.
Most financially motivated cybercriminals rely on maximizing margins and volume, and while the macro and substitution method is simple, its infection tactics work.
The analysts believe that the criminal gangs behind the recent Panda and GootKit banking malware both leveraged the Rubella first-stage loader as the initial stage of their recent attacks. Panda has been used extensively for targeted attacks via email attachments against Australian and U.K. banks. GootKit is one of the most sophisticated banking Trojans active today and was used in multiple recent online banking frauds.
“It is likely that the gangs are customers of the actor offering Rubella on the underground,” the researchers said. “Specifically, the gangs behind the Panda malware distribution appear to have targeted customers through various social-media platforms, as well as an Australian financial institution through Panda’s web-inject functionality.”
The best defense against it is not to open unknown email attachments, and certainly do not enable macros to run. You can also search for Rubella malware on your system, if you think you may have been infected and seek further advice.
“While relatively unsophisticated, the Rubella Macro Builder represents a moderate threat to various networks given its ability to defeat basic static antivirus detection”, FlashPoint said. “Its comparatively low pricing model may also add to the crimeware’s appeal.”