Russian APT Hackers Attacking Financial Organizations With Weaponized Excel Document

The security company Morphisec has recently detected a malicious campaign named as MirrorBlast, and through this attack, the Russian hackers are targeting the financial organizations with weaponized Excel documents.

Here the hackers use the Microsoft Office macros to affect machines, and they have also used a very common method that is being used for over a year.

This malicious campaign was conducted by a Russian cybercrime group, and they are continuously targetting the financial sector with malware that is produced by a familiar infection mechanism.

This group is using similar techniques and methods used by the notorious Russian-based hacking group, TA505. And TA505 is active since at least 2014, while if we talk about their motive, they also target the financial organizations.

Macro with zero detections

If the victim gets tricked and simply opens up the malicious document and “enable content” in Microsoft Office, well in that case the macro implements a JScript script that generally downloads and then installs an MSI package.

Apart from this the macro also implements a basic anti-sandboxing check on whether the computer-style, as well as name, is equal to the user domain, and later it also checks that if the username is similar to ‘admin’ or ‘administrator’.

The Excel document is implanted with a lightweight macro code, and this macro code can be administered only on a 32-bit version of Office just because of its some compatibility reasons along with ActiveX objects that is the ActiveX control compatibility.

MSI Package

However, in this attack, there are two variants of the MSI installer and here they are mentioned below:- 

• KiXtart
• REBOL

Here, both variants are created utilizing the Windows Installer XML Toolset (WiX) version – 3.11.0.1528.

Once it’s been administered, soon they drop two files in the directory of ProgramData. Among the two variants, one is the legitimate software language interpreter executable (KiXtart or REBOL) and the other one is the malicious script.

TA505 and its attribution

Hackers who are behind the campaign resemble to be “TA505,” an active Russian threat group, not only this but these threat actors also have a long history of creativity in the way they perform their operations.

We have mentioned some of the TTPs that enables to safely connection the attack chain to TA505:-

• Infection chain comprises of Email -> XLS -> MSI (Rebol/KiXtart loader).
• The MSI element has many similarities to the Get2 loader from TA505.
• Using SharePoint/OneDrive camouflage theme.
• Using cdn*dl*fileshare, *onedrive* or *dropbox* as part of the domain name.
• One of the SharePoint lures themed emails lead to the following page:-

• Not only this, the MD5 in the details pane doesn’t meet the MD5 of the Excel document, as MD5 refers to a legitimate Putty SFTP client.
• The next-stage Rebol script guides to the FlawedGrace RAT that is linked with TA505, according to @ffforward.

Moreover, the attack has also used a Google feedproxy URL with a deceitful message requesting the user to obtain a SharePoint or Onedrive file.