MirrorBlast campaign targets financial sector using macros

Cybercrime, Cybercrime as a Service, Cyberwar/Attacks on Nation States

TA505 APT group sends phishing emails with malicious links

Prajeet Nair (@prajeetspeaks) •
October 16, 2021

Researchers from Morphisec Labs has released new details of a new MirrorBlast campaign which they claim is run by Russia-based threat group TA505, targeting financial services organisations.

See also: Live Webinar | OT Cybersecurity Strategies for Executives

The campaign spreads MirrorBlast via a phishing email that contains malicious links that download a weaponized Excel document with embedded macros and has low detections on VirusTotal, making it dangerous for organizations that rely on security based on detection and sandboxing, according to Morphisec Labs.

Researchers from ET Laboratories dubbed this campaign MirrorBlast; they began tracking this attack campaign in early September. Researchers say there was also similar activity in April 2021.

The campaign targets several sectors, including Canada, the United States, Hong Kong and Europe.

Attack analysis

The initial attack chain begins with a malicious attachment, which jumps to the Google feed proxy URL with a SharePoint and OneDrive decoy, which poses as a file sharing request.

“These URLs lead to a compromised SharePoint or fake OneDrive site that attackers use to evade detection, in addition to a (SharePoint) login requirement that helps evade sandboxes,” the researchers note.

These compromised SharePoint and fake OneDrive sites share a weaponized Excel document with extremely lightweight macro code that can only be run on a 32-bit version of Office due to compatibility issues with ActiveX objects (ActiveX control compatibility).

“The macro code performs anti-sandboxing by checking whether these queries are true: computer name equals user’s domain; and username equals admin or administrator,” the authors note. researchers. “We observed different variations of the document; in the first variations there was no anti-sandboxing and the macro code was hidden behind the document information properties Language and Code. been moved to the cells on the sheet. Additionally, the code added another layer of obscuration on top of the previous obscuration.”

Upon execution, the command executes JScript, which spawns the msiexec.exe process responsible for downloading and installing the MSI package. Researchers observed two variants of the MSI installer – KiXtart and REBOL – which are generated using Windows Installer XML Toolset (WiX).

“Once executed, they drop two files into a random directory in ProgramData. One of them is the legitimate software language interpreter executable (KiXtart or REBOL) and the other is the malicious script,” note Researchers.

Data exchange

The Rebol variant is a cross-platform data interchange language and a multi-paradigm dynamic programming language, whose first-stage Rebol script is base64 encoded, according to the researchers. It then exfiltrates the targeted information by sending a base64-encoded GET request that represents the user’s domain, username, OS version, architecture, and a script build number. Rebol.

The command and control return a universally unique identifier associated with the victim machine and await further commands. Upon receiving a response, it runs a Powershell command that downloads an archive file and extracts its contents to a folder named archive, where the next step of the Rebol script is executed.

“We also observed a newer version of the Rebol script (build=1.0.2) which omits the Powershell runtime part. Instead, it implements the same logic with the Rebol language code; this is done to reduce script noise and size (no PowerShell processes running as part of the attack chain) At the time of writing, we could not retrieve the Rebol script from the next step (payload.rb ),” the researchers say.

The KiXtart, a free-format scripting language with rich built-in functionality for easy scripting, sends the victim’s machine information (domain, computer name, username, process list) to C2 and the C2 responds with another process, as with the Rebol variant.

Assignment to TA505

Researchers claim that Russia-based threat group TA505, an Advanced Persistent Threat Group, is behind this new MirrorBlast campaign, which bears similarities to the attack chain in terms of tactics, techniques and methods. procedures.

“The similarities extend to the attack chain, GetandGo functionality, final payload, and similarities in the domain name pattern,” the researchers explain. “Using the decoy SharePoint/OneDrive theme and using cdn *dl*fileshare, *onedrive*, or *dropbox* as part of the domain name are among other similarities.”

TA505, also called Hive0065 by IBM X-Force, is a financially motivated cybercrime group that has been active since at least 2014 and is believed to be operating out of Russia (see: Corporate Networks Targeted by TA505 Group with RAT: Report).

“TA505 is one of many financially motivated threat groups currently active in the market. They are also one of the most creative, as they tend to constantly modify the attacks they exploit to achieve their goals. This news attack chain for MirrorBlast is no exception for TA505 or other innovative threat groups,” the researchers note.

In March 2020, the security company point of proof reported that TA505 was using COVID-19 as a decoy to target US healthcare, manufacturing and pharmaceutical industries, spreading malware and ransomware.

“In fact, the change in the chain of attack is yet another indication that organizations cannot afford to take a defensive, reactive approach to their security. They must remain constantly vigilant, iterate on security procedures to s ensure they are not caught off guard when new TTPs are deployed to break through their defences,” the researchers warn.

Other incidents related to the TA505

Also in March 2020, the cyber-intelligence firm Prevailion discovered that the TA505 group was using CVs containing Trojan horses to target German companies to compromise networks and commit fraud by compromising work emails (see : BEC campaign targets HR departments: report).

The cybercriminal gang has also been involved in large-scale spam campaigns and the distribution of Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to researchers (see: TA505 APT Group Returns with New Techniques: Report).

In December 2019, two members of the TA505 gang, also named by Evil Corp., were charged with computer offenses and fraud by law enforcement officials in the United States and United Kingdom. Both men are thought to live in Russia (see Two Russians charged with more than $100 million for stealing Dridex malware).

Comments are closed.