Research

The origin story of APT32 macros: The StrikeSuit Gift that keeps giving

Everyone loves an origin story. When the world learns of new malware and attacks, we are often left pondering the motivations, mulling over the attribution, and sifting through the nitty-gritty bits and bytes to understand the TTPs and tradecraft. Why was it done, who was behind it, and how did they do it? Analysts, researchers, and investigators of all sorts spend time plotting the dots, drawing connections between data points, helping the evidence speak, and passing judgment on areas of uncertainty.

When we dive deep into malware and attacks, we often are left interpreting nuanced artifacts to help us get a glimpse into the original malware development environment. We look to debug information and PDB paths to make inferences about the developer workstations. We look to the Rich header metadata to help understand the specifics of the linker, compiler, and architecture of the original development machine. We examine specific malicious functions within a piece of malware to identify code reuse. We identify notable libraries to tease out pieces of software that may be borrowed from public projects around the internet.

Part of the fun of analysis is the challenge of the puzzle and the relentless pursuit of insight in the face of complex, limited, or opaque data. Yet, sometimes we get lucky, and we stumble on a piece of malware source code to get a more intimate look at the malware author, a clearer window into the original development environment, and a naked look at the malware itself.

This origin story is for all you Visual Basic macro fans out there. In this report, we unearth a demon from the ancient world: a mysterious malware source code package called StrikeSuit Gift. We examine this source code package in detail and dive deep into development conventions, tradecraft, toolmarks, and potential connections to the threat actor APT32.