Russia-linked TA505 group leverages a lightweight Office file to spread malware in a campaign, tracked as MirrorBlast, aimed at financial institutions.
TA505 hacking group has been active since 2014 focusing on Retail and banking sectors. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.
Security experts from cyber-security firm Prevailion reported that TA505 has compromised more than 1,000 organizations.
In September, researchers from Morphisec observed a malspam campaign delivering weaponized Excel documents and targeting multiple sectors from several countries, including Canada, the United States, Hong Kong, and Europe.
The MirrorBlast campaign is similar to another activity in April 2021, the attack chain is compatible with tactics, techniques, and procedures commonly associated with the TA505 group.
The infection chain starts with an email attachment document, but researches also observed threat actors using the Google feedproxy URL with SharePoint and OneDrive lure, which poses as a file share request.
Upon clicking on the URLs shared with the recipients they will be directed to a compromised SharePointm a fake OneDrive site, or a sign-in requirement (SharePoint) in the attempt to evade sandboxes.
Experts noticed that the Excel document is weaponized with an extremely lightweight macro code.
The macro code employed in this campaign could be executed only on 32-bit versions of Office due to ActiveX compatibility issues, it is used to make anti-sandboxing checks.
“The macro code can be executed only on a 32-bit version of Office due to compatibility reasons with ActiveX objects (ActiveX control compatibility).” reads the analysis published by the experts. “The macro code performs anti sandboxing by checking if the following queries are true:
- Computer name is equal to the user domain.
- Username is equal to admin or administrator.
We have observed different variants of the document, in the first variants there wasn’t any anti-sandboxing and the macro code was hidden behind the Language and Code document information properties, later it moved to the sheet cells. Additionally, the code has been added one more obfuscation layer on top of the previous obfuscation.”
The attackers used at least two variants of the MSI installer, KiXtart and REBOL, which are both generated using the Windows Installer XML Toolset (WiX) version 188.8.131.528.
Upon executing the installers, they drop two files into a random directory in ProgramData, one is the legitimate software language interpreter executable (KiXtart or REBOL) and the other is a malicious script.
“TA505 is one of many financially motivated threat groups currently active in the marketplace. They are also one of the most creative, as they have a tendency to constantly shift the attacks they leverage to achieve their goals. This new attack chain for MirrorBlast is no exception for TA505 or for other innovative threat groups.” concludes the report. “The ability of the MirrorBlast attack to have very low detections in VirusTotal is also indicative of the focus most groups have on evading detection-centric solutions. Yet again, it is clear that the market’s reliance on detection and response leaves them open to more attacks than it resolves. A new way forward is needed.”