Hackers are weaponizing Excel documents to infiltrate corporate networks

New phishing campaign uses legacy XLM macros to target employees in financial services

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Employees at financial organizations are being targeted using weaponizedExceldocuments as part of a new phishing campaign aimed at infiltrating corporate networks.

While the campaign, which has been dubbed MirrorBlast, was first detected in September by the cybersecurity firm ET Labs, another cybersecurity firm called Morphisec has now analyzed themalwareused in the campaign and reported its findings in a newblog post.

Morphisec warns that the malicious Excel files used in the campaign are particularly dangerous due to the fact that they can bypassmalware detection systemsas they contain “extremely lightweight” embedded macros.

Although macros are disabled by default inMicrosoft’soffice software, cybercriminals often trick users into enabling them by using clever social engineering. At the same time, attackers have switched from using newer VBA macros to legacyXLM macrosin order to bypass anti-malware systems.

MirrorBlast

After analyzing the malware used in MirrorBlast, Morphisec believes that the Russia-based cybercriminal groupTA505is behind this new campaign.

This is due to similarities in the attack chain, the GetandGo functionality used by malware, the final payload and the domain name pattern. TA505 has been active since at least 2014 and the group is known for frequently changing its malware to avoid detection.

Although MirrorBlast attacks start with a document attached to an email, the campaign later employs aGooglefeedproxy URL with aSharePointandOneDrivelure. When a user clicks on this link, they are taken to either a compromised SharePoint site or a fake OneDrive site to download the attacker’s weaponized Excel document.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Thankfully though, the macro code used by MirrorBlast can only be executed on the 32-bit version ofOfficedue to a lack of compatibility with ActiveX objects. From here, the macro executes JavaScript code to see if a computer is running in administrator mode before launching msiexec.exe which is used to download and install anMSIpackage.

This MSI installer leverages two legitimate scripting tools called KiXtart and REBOL. The KiXtart script is employed first to send system information from a victim’s machine to the attacker’s command and control server while the REBOL script leads to a remote access tool calledFlawedGracewhich TA505 has used in past attacks.

ViaZDNet

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well