Russia-based threat group TA505 is deploying a weaponized Excel document in a new malware campaign, tracked as MirrorBlast, targeting financial organizations.
According to cybersecurity experts at Morphisec Labs, the most significant feature of the new MirrorBlast campaign is the low detection rates of malicious Excel documents by the security software, putting organizations at high risk that rely solely upon detection tools.
Evasive technique
The developers of the malware campaign use phishing emails to mount the first phase of its attack. The initial email contains an Excel document that uses a macro. The macro, which can only be executed on a 32-bit version of Office due to ActiveX compatibility issues, contains a lightweight Office file designed to bypass detection.
"The macro code performs anti-sandboxing by checking if these queries are true: computer name is equal to the user domain; and username is equal to admin or administrator," the researchers explained. "We have observed different variants of the document; in the first variants there wasn’t any anti-sandboxing and the macro code was hidden behind the Language and Code document information properties. Later it moved to the sheet cells. In addition, the code has added one more obfuscation layer on top of the previous obfuscation."
Upon installation, the command executes JScript, which generates the msiexec.exe process responsible for downloading and installing the MSI package. The dropped MSI package, comes in two variants, one written in REBOL and one in KiXtart, according to researchers who analyzed several samples of the dropped MSI package.
Subsequently, the MSI package sends the machine's information to a command and control (C2) server, including the computer name, user name, and a list of running processes. The C2 server then responds with a code telling the software how to proceed. The malware campaign also uses a Google feed proxy URL with a fraudulent message requesting the user to access a SharePoint or Onedrive file. This helps the attackers evade detection, Morphisec said.
Since September 2021, the malware campaign has targeted multiple institutions in regions such as Canada, the US, Hong Kong, and Europe. Morphisec tied the attack to TA505, an active Russian threat group that has been operating since 2014 and has a long history of creativity in the manner they lace Excel documents in phishing campaigns.
In this malware campaign, researchers observed certain aspects of the attack that led them to attribute it to TA505. This includes the infection chain and installer script. It also uses similar domain names to other TA505 attacks and an MD5 hash that matches one used in another of the group's assaults.