Employees at financial organizations are being targeted using weaponized Excel documents as part of a new phishing campaign aimed at infiltrating corporate networks.
While the campaign, which has been dubbed MirrorBlast, was first detected in September by the cybersecurity firm ET Labs, another cybersecurity firm called Morphisec has now analyzed the malware used in the campaign and reported its findings in a new blog post.
Morphisec warns that the malicious Excel files used in the campaign are particularly dangerous due to the fact that they can bypass malware detection systems as they contain “extremely lightweight” embedded macros.
- We've put together a list of the best antivirus software available
- Keep your devices virus free with the best malware removal software
- Also check out our roundup of the best endpoint protection software
Although macros are disabled by default in Microsoft's office software, cybercriminals often trick users into enabling them by using clever social engineering. At the same time, attackers have switched from using newer VBA macros to legacy XLM macros in order to bypass anti-malware systems.
MirrorBlast
After analyzing the malware used in MirrorBlast, Morphisec believes that the Russia-based cybercriminal group TA505 is behind this new campaign.
This is due to similarities in the attack chain, the GetandGo functionality used by malware, the final payload and the domain name pattern. TA505 has been active since at least 2014 and the group is known for frequently changing its malware to avoid detection.
Although MirrorBlast attacks start with a document attached to an email, the campaign later employs a Google feedproxy URL with a SharePoint and OneDrive lure. When a user clicks on this link, they are taken to either a compromised SharePoint site or a fake OneDrive site to download the attacker's weaponized Excel document.
Thankfully though, the macro code used by MirrorBlast can only be executed on the 32-bit version of Office due to a lack of compatibility with ActiveX objects. From here, the macro executes JavaScript code to see if a computer is running in administrator mode before launching msiexec.exe which is used to download and install an MSI package.
This MSI installer leverages two legitimate scripting tools called KiXtart and REBOL. The KiXtart script is employed first to send system information from a victim's machine to the attacker's command and control server while the REBOL script leads to a remote access tool called FlawedGrace which TA505 has used in past attacks.
- We've also featured the best ransomware protection
Via ZDNet
