Tuesday, March 19, 2024

Russian APT Hackers Attacking Financial Organizations With Weaponized Excel Document

The security company Morphisec has recently detected a malicious campaign named as MirrorBlast, and through this attack, the Russian hackers are targeting the financial organizations with weaponized Excel documents.

Here the hackers use the Microsoft Office macros to affect machines, and they have also used a very common method that is being used for over a year.

This malicious campaign was conducted by a Russian cybercrime group, and they are continuously targetting the financial sector with malware that is produced by a familiar infection mechanism.

This group is using similar techniques and methods used by the notorious Russian-based hacking group, TA505. And TA505 is active since at least 2014, while if we talk about their motive, they also target the financial organizations.

Macro with zero detections

If the victim gets tricked and simply opens up the malicious document and “enable content” in Microsoft Office, well in that case the macro implements a JScript script that generally downloads and then installs an MSI package.

Apart from this the macro also implements a basic anti-sandboxing check on whether the computer-style, as well as name, is equal to the user domain, and later it also checks that if the username is similar to ‘admin’ or ‘administrator’.

The Excel document is implanted with a lightweight macro code, and this macro code can be administered only on a 32-bit version of Office just because of its some compatibility reasons along with ActiveX objects that is the ActiveX control compatibility.

MSI Package

However, in this attack, there are two variants of the MSI installer and here they are mentioned below:- 

  • KiXtart
  • REBOL

Here, both variants are created utilizing the Windows Installer XML Toolset (WiX) version – 3.11.0.1528.

Once it’s been administered, soon they drop two files in the directory of ProgramData. Among the two variants, one is the legitimate software language interpreter executable (KiXtart or REBOL) and the other one is the malicious script.

TA505 and its attribution

Hackers who are behind the campaign resemble to be “TA505,” an active Russian threat group, not only this but these threat actors also have a long history of creativity in the way they perform their operations.

We have mentioned some of the TTPs that enables to safely connection the attack chain to TA505:-

  • Infection chain comprises of Email -> XLS -> MSI (Rebol/KiXtart loader). 
  • The MSI element has many similarities to the Get2 loader from TA505. 
  • Using SharePoint/OneDrive camouflage theme.
  • Using cdn*dl*fileshare, *onedrive* or *dropbox* as part of the domain name.
  • One of the SharePoint lures themed emails lead to the following page:-
  • Not only this, the MD5 in the details pane doesn’t meet the MD5 of the Excel document, as MD5 refers to a legitimate Putty SFTP client. 
  • The next-stage Rebol script guides to the FlawedGrace RAT that is linked with TA505, according to @ffforward.

Moreover, the attack has also used a Google feedproxy URL with a deceitful message requesting the user to obtain a SharePoint or Onedrive file.

Website

Latest articles

CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence

AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in...

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...

Researchers Hack AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...

Hackers Using Weaponized SVG Files in Cyber Attacks

Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles