A Russian cybercrime group is using a modified Excel document for a ransomware campaign called MirrorBlast. MirrorBlast deploys a weaponized Excel document against several financial service organizations.
The most notable capability of MirrorBlast is the stealthy attribute that resulted in a low detection rate of the campaign’s malicious Excel documents.
The creators of these documents have tried to hide the malicious code and achieve zero detections against a cybersecurity firm. However, these modified Excel documents have a significant con that the threat actors are willing to accept. The con is that the macro code can only be activated on a 3-bit version of MS Office.
Suppose the target victim is deceived into opening the compromised document and enables the content in MS Office. In that case, the macro activates JavaScript, which immediately downloads and installs an MSI package. But before that, the macro executes an anti-sandboxing to check whether the PC name is identical to the user domain. The macro also double-checks if the name is like the administrator.
According to a group of researchers who analysed the samples of the MSI package, it is revealed that the package comes with two variants written in KiXtart and REBOL, respectively. The KiXtart variant is encrypted and attempts to pull out essential information to the C2 such as domain, username, process list, and domain. The REBOL variant, on the other hand, is a base64 encoded that starts by pulling out information like the OS version, architecture, and username. After that, it waits for a C2 instruction that initiates a PowerShell to begin the second stage.
According to researchers, they could not retrieve the second stage; therefore, its function is unknown as of today.
Who is behind in weaponizing Excel?
Researchers were able to link and identify the threat actors because of some similarities in past campaigns. The group appears to be the active Russian ransomware group called TA505. These threat actors are known for their creativity in developing new ways of conducting attacks.
The TA505 is widely known for its highly sophisticated and wide-range attacks that affected numerous companies throughout the past years.
As of today, the cybersecurity team in financial organizations targeted by this MirrorBlast ransomware campaign should not lower their guards right now.
