Employees at financial organizations are being targeted using weaponized Excel documents as part of a new phishing campaign aimed at infiltrating corporate networks.
While the campaign, which has been dubbed MirrorBlast, was first detected in September by the cybersecurity firm ET Labs, another cybersecurity firm called Morphisec has now analyzed the malware used in the campaign and reported its findings in a new blog post.
Morphisec warns that the malicious Excel files used in the campaign are particularly dangerous due to the fact that they can bypass malware detection systems as they contain “extremely lightweight” embedded macros.
- We've put together a list of the best antivirus software available
- Keep your devices virus free with the best malware removal software
- Also check out our roundup of the best endpoint protection software
Although macros are disabled by default in Microsoft's office software, cybercriminals often trick users into enabling them by using clever social engineering. At the same time, attackers have switched from using newer VBA macros to legacy XLM macros in order to bypass anti-malware systems.
After analyzing the malware used in MirrorBlast, Morphisec believes that the Russia-based cybercriminal group TA505 is behind this new campaign.
This is due to similarities in the attack chain, the GetandGo functionality used by malware, the final payload and the domain name pattern. TA505 has been active since at least 2014 and the group is known for frequently changing its malware to avoid detection.
Although MirrorBlast attacks start with a document attached to an email, the campaign later employs a Google feedproxy URL with a SharePoint and OneDrive lure. When a user clicks on this link, they are taken to either a compromised SharePoint site or a fake OneDrive site to download the attacker's weaponized Excel document.
This MSI installer leverages two legitimate scripting tools called KiXtart and REBOL. The KiXtart script is employed first to send system information from a victim's machine to the attacker's command and control server while the REBOL script leads to a remote access tool called FlawedGrace which TA505 has used in past attacks.
- We've also featured the best ransomware protection
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.