[MART] - Daily Diary #370 - MirrorBlast Phishing Campaign Deploys Undetected MalDocs

CTAS-MAT ctas-mat at appgate.com
Fri Oct 15 22:19:29 UTC 2021


Hello,

I hope everyone is doing well!

Below is the entry for today.

10/15/2021 - Diary entry #370:

In our Daily Diary #334, we covered Microsoft Office documents used as an infection vector and the risks of companies using older versions of the Microsoft Office. Besides that, threat actors are always innovating by changing their malicious macro scripts to be undetectable by anti-malware engines. That's the case of a new phishing campaign named MirrorBlast, which is delivering malicious Excel documents that are difficult to detect.

Once the document is opened by a victim and as soon as they allow the macro execution, the malicious code downloads an MSI package that can download one of two variants of other malicious payloads. Next, it just waits for a command sent by its Command & Control. Then, it initiates a Powershell instance which will deploy a next stage payload yet unknown.

The developers behind MirrorBlast are putting an extra effort to obfuscate their malicious code to infect financial companies. The group behind this campaign is believed to be the TA505, a Russian threat actor known for being creative regarding their infection vectors during attacks.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211015/40fe9434/attachment.htm>


More information about the MART mailing list