The Dutch National High-Tech Crime Unit (NHTCU) arrested a 20-year-old Utrecht, Netherlands man, alleging he is the creator and distributor of a macro toolkit that has enabled cybercriminals to send phishing emails with malicious Office document attachments.

The man, who was not named but went by the handle “Rubella” in online forums, is believed to have developed the eponymously-named macro builder Rubella and then selling and renting the kit on the dark web for prices ranging from several hundred to several thousand Euros. Police seized about 20,000 Euros in cryptocurrency that police believe the man earned through the sale of his toolkits. The suspect was tracked down in a joint operation between Dutch authorities and McAfee and was arrested in his home while sitting at his computer, the NHTCU  wrote in a release.

“Furthermore, the suspect was found in possession of data concerning dozens of credit cards and manuals on carding, a type of credit card fraud. The young man also possessed access credentials for thousands of websites. It is not known what he was planning to do with these,” the police said.

Macro toolkits like Rubella are designed to weaponize Microsoft Office documents and bypass endpoint security systems, enabling the documents to deliver a wide variety of malware. Distribution is handled through phishing emails.

“By using a toolkit dedicated to this purpose, an actor can push out higher quantities of malicious documents and successfully outsource the first-stage evasion and delivery process to a specialized third party,” McAfee said in a blog post.

McAfee said that Rubella advertised his toolkit with colorful banners and postings on various online forums. This last act led to his undoing.

Being from The Netherlands, Rubella posted some documents that used the Dutch version of Windows, 10 which caught the eye of fellow Dutchman John Fokker, who happens to be head of cyber investigations for McAfee Advanced Threat Research, and a former member of the NHTCU.

“Interestingly enough, we reported last year on the individuals behind Coinvault ransomware. One of the reasons they got caught was the use of flawless Dutch in their code. With this in the back of our minds, we decided to go deeper down the rabbit hole,” wrote Fokker, who co-authored the blog post with fellow McAfee researcher Thomas Roccia.

Further research into Rubella’s writing found he was also behind a myriad of other malicious tools, including a crypto wallet stealer, a malicious loader software and a newly pitched product called Tantalus ransomware-as-a-service.

Another note on a popular hacker site contained a link to an email spoofer he wrote and posted to VirusTotal. The spoofer contained the debug or PDB path “C:\Users\Breitling, Fokker said. This was a tactical mistake because the spoofer name Breitling could then be traced to other posts on VirusTotal. Several were found, including a file named Rubella.exe.

Fokker and his team then really put on their detective hats, using the gathered evidence to nail the suspect.

“Since Breitling was most likely the username used on the development machine, we were wondering if we could find Office documents that were crafted on the same machine and thus also containing the author name Breitling. We found an Office document with Breitling as author and the document happened to be created with a Dutch version of Microsoft Word,” Fokker wrote, adding, “Closer inspection of the content of the Word document revealed that it also contained a string with the familiar Jabber account of Rubella; Rubella(@)exploit.im.”

Since Rubella was a chatty fellow, Fokker decided to use that trait against him by instigating a conversation on Jabber while posing as a potential buyer. During this conversation, Rubella mentioned he also had a macro builder named Dryad available.

Neither Fokker nor the NHTCU gave any specific details on how all these clues were eventually used to find and arrest Rubella.