There is a massive phishing campaign dubbed MirrorBlast which targets financial services organizations. MirrorBlast contains malicious links which download a weaponized Excel document, and due to the extreme lightweight of the macro embedded in its Excel files, it is particularly difficult to detect by security and sandboxing technologies.
The current phishing campaign as tracked by the Morphisec Labs team began in early September, with the attack chain of the infection bearing a similarity to the tactics, techniques, and procedures commonly used by the Russia-based threat group TA505.
How MirrorBlast Spreads through Mass Email Campaigns?
The MirrorBlast attack chain starts with an email attachment document that poses as a file share request, which at a later stage, changes to the use of Google feedproxy URL with SharePoint and OneDrive lure.
The Google feedproxy URLs lead to a compromised SharePoint or fake OneDrive website that the attackers use to evade detection, in addition to a SharePoint sign-in requirement that helps to evade sandboxes. And there are different variants of the document, for the first variants, the macro code was hidden behind the Language and Code document information properties, which later is moved to the sheet cells.
Additionally, there wasn’t any anti-sandboxing and the code added one more obfuscation layer on top of the previous obfuscation.
The success of campaign, however, hinges on the enabling of macros by users after opening the malicious attachments, which an obfuscated MSI file is downloaded to install the next-stage loaders before delivery of the updated version of the Trojan that incorporates obfuscated API calls.
How to Mitigate against MirrorBlast Phishing Campaign?
The MirrorBlast attack have very low detections in VirusTotal, which is indicative of the advancement most threat groups have reached in evading detection-centric solutions.
Organizations should therefore take a defensive, reactive approach to their security and most importantly, remain constantly vigilant, iterating on security procedures to ensure they are not caught off-guard when new TTPs are deployed to breach their defenses.
No comments