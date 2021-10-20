Hackers use Microsoft Excel files as a weapon to defraud employees and infiltrate companies.

Financial sector employees are being targeted by a gang of hostile actors who use Excel files to defraud and enter business networks.

The effort, dubbed MirrorBlast, was initially discovered in September by cybersecurity firm ET Labs. Another cybersecurity firm, Morphisec, recently studied the virus and discovered new information about the attack.

The cybersecurity firm warns the general public, particularly those in the banking sector, about the weaponized Excel file’s dangers. It can readily evade malware detection systems thanks to its incredibly lightweight embedded macros.

While macros are deactivated by default in Microsoft Office applications, bad actors utilize social engineering to persuade users to enable them. To get around anti-malware systems, hackers are now using legacy XLM macros rather than the newer VBAs.

The malspam campaign, which sends Excel documents as attachments, is aimed at a wide range of industries in the United States, Hong Kong, Canada, Europe, and other nations. “The attack chain begins with an email attachment document, but it later switches to a Google feed proxy URL with SharePoint and OneDrive bait, posing as a file share request,” Morphisec explained in a blog post.

“These URLs link to a compromised SharePoint or a phony OneDrive site that the attackers employ to avoid detection, as well as a SharePoint sign-in requirement that lets them avoid sandboxes. Because of compatibility issues with ActiveX objects (ActiveX control compatibility), the macro code can only be run on a 32-bit version of Office “The cybersecurity firm went on to say more.

Hackers use macro code to accomplish anti-sandboxing by ensuring that a few searches are true. One query determines whether the computer name matches the user domain and the user name matches admin or administrator.

Because of the similarities in the methods, procedures, and techniques utilized in the campaign, the cybersecurity firm linked the phishing fraud to Russia-based threat group TA505. The parallels extend to the attack chain, GetandGo capabilities, the final payload, and domain name pattern similarities, according to the firm’s blog.

According to the report, the hacker organization TA505 has been active since 2014 and “has a financial purpose for their acts.” The gang has a reputation for continually changing the types of malware it employs and for setting global malware distribution trends.