Security researchers are warning us about one of the most creative cybercrime groups on the internet who are putting out a sneaky new phishing campaign.

We all know that all types of phishing emails are becoming an everyday occurrence.

Known as MirrorBlast, this new phishing campaign targets employees in financial services using links that download, what is described as a ‘weaponized’ Excel document.

It was discovered by security firm ET Labs in early September. But it’s the security firm Morphisec that have done the analysis of the malware. They note that the malicious Excel files could bypass malware-detection systems because it contains “extremely lightweight” embedded macros. In other words, it’s extremely dangerous for those businesses that rely on detection-based security and sandboxing.

A popular tool for cyberattacks are Macros those scripts for automating tasks. However, by default Macros are disabled in Excel. So, to bypass this issue, the attacker’s user social engineering to dupe their victims into turning Macros on.

Meanwhile, Macros have been used by state-sponsored hackers even though they are quite a basic technique and that’s because they frequently work. To combat this issue and the new trend by attackers to use legacy Excel 4.0 XLM macros (instead of newer VBA macros) to bypass anti-malware systems, Microsoft responded by expanded its Antimalware Scan Interface (AMSI) for antivirus to address the surge in macro malware.

It resembles the techniques of the financially motivated, well-established, Russia-based cybercriminal group that’s tracked by researchers as TA505, according to Morphisec. These guys are known for the wide variety of tools they use, since the start of their operation in 2014.

Morphisec researcher Arnold Osipov notes in a blogpost, “TA505 is most known for frequently changing the malware they use as well as driving global trends in malware distribution.”

A MirrorBlast attack begins with an email that has an attachment. Secondly, it uses a Google feedproxy URL with a SharePoint and OneDrive lure that poses as a file share request. By Clicking the URL, it leads to a compromised SharePoint site or fake OneDrive site. Either way, it leads to an Excel document, that is weaponised.

The attackers are exploiting the theme of COVID information as in other instances of late, relating to changes and work arrangements within the company, it seems as MirrorBlast look over a sample email.

It can only be executed on a 32-bit version of Office due to compatibility reasons with ActiveX objects, notes Morphisec. As they go on to say, that the macro itself executes a JavaScript script designed to bypass sandboxing by checking if the computer is run in administrator mode. Lastly, it launches the msiexec.exe process, which downloads and installs an MSI package.

In addition, two variants of the MIS installer were discovered by Morphisec that use legitimate scripting tools KiXtart and REBOL.

Firstly, from the victim’s machine to the attacker’s command and control server, the KiXtart script is sent, information like the computer name, username, domain, and process list.

Secondly, it responds with a number instructing whether to proceed with the Rebol variant.

The Rebol script leads to a remote access tool called FlawedGrace, according to Morphisec, which the TA505 group has used in the past.

Osipov warns that the group “is one of many financially motivated threat groups currently active in the marketplace. But also, that their one of the most creative. Why because they have a propensity to achieve their monetary goals by constantly shifting the attacks they leverage.

In other words, changing the malware they use as well as driving global trends in malware distribution as said earlier.

Attackers are always coming up with new and innovative ways to get away with taking our hard-earned money. Let’s stay one step ahead and keep up to date with these new sneaky campaigns so it’s less likely we’ll fall victim.

How can we make your business better with IT?