With Covert Macros, A Russian Hacking Group Attacks Banking Firms

A Russian Hacking Group Attacks Banking Firms With Covert Macros

A new phishing campaign, known as MirrorBlast, Russian threat actors attack financial sector firms using weaponized Excel documents that are very difficult to detect.

MirrorBlast’s most prominent characteristic is the campaign’s malicious Excel documents’ poor detection rates by the security software, placing companies that rely entirely on detection technologies in danger. These malicious documents’ creators went to great lengths to conceal harmful code, resulting in zero detections on VirusTotal.

On the other hand, these optimized documents contain downsides that the actors appear to be ready to tolerate as a trade-off. The macro code, for example, can only be run on a 32-bit version of Office.

If the victim is misled into opening the infected document and enabling content in Microsoft Office, the macro launches a JScript script that downloads and installs an MSI package. However, before that, the macro does a simple anti-sandboxing check to see if the computer name matches the user domain and if the username contains the words’ admin’ or ‘administrator.’

According to Morphisec experts who evaluated multiple samples of the dumped MSI package, it appears in two forms: one written in REBOL and the other in KiXtart. The base64-encoded REBOL variation begins by exfiltrating information such as the login, OS version, and architecture.

It then waits for a C2 command to start a Powershell session that will fetch the second stage. However, because the researchers were unable to extract that stage, its activities are unclear.

The KiXtart payload is likewise encrypted, and it tries to send basic machine data to the C2, such as the domain, user name, computer name, and process list.

The campaign’s perpetrators appear to be ‘TA505,’ a live Russian threat organization with a lengthy history of inventing new ways to thread Excel documents into spam operations.

Morphisec was able to link the perpetrators to the MirrorBlast campaign owing to infection chain similarities with previous operations, the usage of OneDrive, domain naming peculiarities, and the presence of an MD5 checksum discrepancy that indicates a 2020 attack performed by TA505.

TA505 is a highly skilled threat actor linked to a variety of harmful activities in the past. An evaluation of the actor’s work schedule by NCCGroup reveals a well-organized and well-structured organization that attacks with zero-day vulnerabilities and a range of malware strains.

TA505 is also linked to a slew of attacks that used a zero-day flaw in Accenture FTA secure file sharing devices to steal data from businesses.

The threat actors then tried to extort money from the firms by demanding a $10 million ransom in exchange for the data not being publicly leaked on their Clop data leak site.

As a result, the IT departments of the financial institutions targeted by the MirrorBlast campaign cannot afford to let down their defenses even for a second.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.