Author of Dryad and Rubella Macro Builders Arrested

Dutch authorities this week announced the arrest a 20-year old man for allegedly developing and distributing Office Macro Builders. 

Such programs are designed to allow cybercriminals weaponize Office documents to deliver malicious payloads via obfuscated macro code. The macro might also purposely attempt to bypass endpoint security defenses. 

Once the document containing such a malicious macro is opened, the code would be executed, which could surreptitiously download malware or start a program on the device. 

The arrested individual, a resident of the Dutch city of Utrecht, is said to have created and distributed toolkits named Rubella, Cetan and Dryad. Aided by McAfee and another private company, the Dutch authorities managed to trace various online handles on hacking forums to the man. 

According to the authorities, the suspect sold the macro builder Rubella for prices ranging from a couple of hundred to thousands of euros. According to McAfee, Dryad and Rubella are very similar, and a conversation with the suspect revealed that the individual was behind both of them. 

The man was also “found in possession of data concerning dozens of credit cards and manuals on carding, a type of credit card fraud,” the Dutch authorities reveal. Moreover, the suspect had in possession access credentials for thousands of websites. 

The man reportedly collected around 20,000 Euro (around $22,000) in crypto currency such as Bitcoins. 

“Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder,” McAfee notes. 

Related: Macro-Based Multi-Stage Attack Delivers Password Stealer

Related: Macro Malware Comes to macOS

Related: Office Loader Uses Macros to Drop Array of Malware