Attacks targeting security researchers appear to be growing in popularity among cybercriminals. One threat group that is believed to have started conducting such attacks is TA505. Evidence points out that TA505 has been active since at least 2014. The group is known for leveraging the MINEBRIDGE RAT in its operations.
The latest campaign employs a multi-stage attack chain that ultimately deploys the MINEBRIDGE RAT onto the targeted computer system. The hackers lure their victims with fake job resumes (CVs) in the form of macro-based Word documents. When executed, the malicious file displays a confirmation message - 'File successfully converted from PDF,' and shows a job resume that has supposedly been sent by a threat intelligence analyst. This is just a decoy, however, designed to draw the attention of the victim away from the underlying macro code that constructs a command line in the background capable of fetching encoded content from a specified IP address. The downloaded self-extracting (SFX) archive will be dropped in the user's %appdata% folder.
A Complex Multi-Stage Attack Delivers MINEBRIDGE RAT
The SFX file represents the first stage of the MINEBRIDGE RAT attack chain. It is executed through certutil.exe and results in legitimate TeamViewer binaries, several DLL files, and additional document files being dropped onto the compromised system. One of the delivered binaries named 'defrender.exe' is responsible for initiating the next stage of the attack. It must be noted that the binary is designed to appear as a legitimate Windows Defender binary.
Stage 2 of the attack includes the execution of the TeamViewer application that is then forced to conduct DLL side loading. It loads the provided msi.dll file that in turn unpacks shellcode and executes it. The shellcode is tasked with delivering the UPX-packed binary of the final payload - MINEBRIDGE RAT.
When fully deployed, the threat allows the attackers to perform a wide range of malicious activities. They can spy on the compromised users as well as deploy additional malware payloads. MINEBRIDGE RAT creates three separate threats, each tasked with a different responsibility:
Establishing C&C communication and deploying the persistence mechanism
Checking the system idle status by monitoring the timing of the last input
Avoiding accidental notification pop-ups by killing the ShowNotificationDialog process
The persistence mechanism of the threat is achieved through an LNK file named 'Windows Logon.lnk' that is dropped into the startup directory of the system.