APOMacroSploit is a macro builder that was to create weaponized Excel documents used in multiple phishing attacks. The threat actor behind the tool continuously updated it to evade detection.

The malware infection begins when the dynamic content of the attached XLS document is enabled, and an XLM macro automatically starts downloading a Windows system command script.

“The initial malicious document our customer received was an XLS file containing an obfuscated XLM macro called Macro 4.0. The macro is triggered automatically when the victim opens the document, and downloads a BAT file from cutt.ly.” continues the analysis. The execution of the command “attrib” enables the BAT script to hide in the victim’s machine.

The researchers noticed that the attackers made a mistake, The cutt[.]ly domain directly redirects to a download server and does not perform the request on the back end. The servers host the BAT files, for each file, the nickname of the customer was inserted inside of the filename.

The BAT script downloads the fola.exe malware for one of the following Windows versions;

Windows 10
Windows 8.1
Windows 8
Windows 7

In order to avoid detection, the BAT scripts add the malware location in the exclusion path of Windows Defender and disabling Windows cleanup before executing the malware.

The threat actors used a Delphi Crypter along with a second-stage malware, a remote access Trojan dubbed BitRAT.

BitRAT implements multiple features, including mining cryptocurrencies and RAT features. A Notepad.exe injected shellcode drops a VBS file in the startup folder to ensure persistency.

The researchers were able to unmask the real identity of Nitrix, because he revealed his actual name in a post on Twitter containing a picture of a ticket he bought for a concert in December 2014.