Dutch police have arrested a man suspected of developing and selling toolkits designed to build malicious Office documents for use in attacks.
In a statement on Wednesday, the country’s high-tech crime team (THTC) revealed it had apprehended a 20-year-old Utrecht man after monitoring his participation in hacking forums, with help from McAfee.
He’s suspected of selling specialized off-the-shelf toolkits such as Rubella Macro Builder which effectively weaponize Office docs by enabling them to use obfuscated macro code to deliver a malicious payload, bypassing traditional security filters in the process.
However, in one of the man’s suspected posts to a hacking forum, investigators spotted use of a Dutch version of Microsoft Word. Given the relatively small global population that speaks the language, McAfee researchers went on the hunt for more clues.
“During our research we were able to link different nicknames used by the actor on several forums across a time span of many years,” the vendor said in a blog post. “Piecing it all together, Rubella showed a classic growth pattern of an aspiring cyber-criminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.”
On arrest, the suspect was found with data on dozens of credit cards and manuals on carding, as well as access credentials for thousands of websites.
“The suspect has collected an amount of approx. €20,000 in cryptocurrency such as Bitcoins. These have been seized. The investigation into further amounts the young man may have (unlawfully) earned will continue. In due course, a confiscation order will be issued,” a police statement noted.
“The public prosecutor has meanwhile decided that the suspect will have to face trial. No court date has yet been set.”