The security company Morphisec has recently detected a malicious campaign named as MirrorBlast, and through this attack, the Russian hackers are targeting the financial organizations with weaponized Excel documents.
Here the hackers use the Microsoft Office macros to affect machines, and they have also used a very common method that is being used for over a year.
This malicious campaign was conducted by a Russian cybercrime group, and they are continuously targetting the financial sector with malware that is produced by a familiar infection mechanism.
This group is using similar techniques and methods used by the notorious Russian-based hacking group, TA505. And TA505 is active since at least 2014, while if we talk about their motive, they also target the financial organizations.
If the victim gets tricked and simply opens up the malicious document and “enable content” in Microsoft Office, well in that case the macro implements a JScript script that generally downloads and then installs an MSI package.
Apart from this the macro also implements a basic anti-sandboxing check on whether the computer-style, as well as name, is equal to the user domain, and later it also checks that if the username is similar to ‘admin’ or ‘administrator’.
The Excel document is implanted with a lightweight macro code, and this macro code can be administered only on a 32-bit version of Office just because of its some compatibility reasons along with ActiveX objects that is the ActiveX control compatibility.
However, in this attack, there are two variants of the MSI installer and here they are mentioned below:-
Here, both variants are created utilizing the Windows Installer XML Toolset (WiX) version – 3.11.0.1528.
Once it’s been administered, soon they drop two files in the directory of ProgramData. Among the two variants, one is the legitimate software language interpreter executable (KiXtart or REBOL) and the other one is the malicious script.
Hackers who are behind the campaign resemble to be “TA505,” an active Russian threat group, not only this but these threat actors also have a long history of creativity in the way they perform their operations.
We have mentioned some of the TTPs that enables to safely connection the attack chain to TA505:-
Moreover, the attack has also used a Google feedproxy URL with a deceitful message requesting the user to obtain a SharePoint or Onedrive file.
Vincent Cannady, a professional who used to work as a consultant in the cybersecurity field, has been taken into custody…
Infected websites mimic legitimate human verification prompts (CAPTCHAs) to trick users, who often request seemingly innocuous clicks, resembling past CAPTCHA…
An emerging threat leverages Microsoft's Graph API to facilitate command-and-control (C&C) communications through Microsoft cloud services. Recently, security analysts at…
Apache ActiveMQ is a Java based communication management tool for communicating with multiple components in a server. It is an…
In the latest edition of Verizon's Data Breach Investigations Report (DBIR) for 2024, a concerning trend has been highlighted, a…
The United States government has issued a stark warning about a new wave of social engineering attacks orchestrated by North…