Hackers Weaponize Microsoft Excel Files To Scam Employees And Infiltrate Businesses

Employees in the financial sector are in the crosshairs of a group of malicious actors who weaponize Excel files to scam and infiltrate corporate networks.

Dubbed as MirrorBlast, the campaign was first uncovered by cybersecurity company ET Labs in September. Morphisec, another cybersecurity firm, recently analyzed the malware and revealed more interesting details about the campaign.

The cybersecurity firm warns the public, especially those in the financial sector, of the danger of the weaponized Excel file. Since it comes with extremely lightweight embedded macros, it can easily bypass malware detection systems.

While Microsoft Office software has macros disabled by default, malicious actors trick users into enabling them through some kind of social engineering. Also, hackers now use legacy XLM macros instead of the newer VBAs to get through anti-malware systems.

The malspam campaign, which delivers Excel documents as an attachment, targets various sectors in the U.S., Hongkong, Canada, Europe and other countries. "The attack chain starts with an email attachment document, but at a later stage, it changes to use the Google feed proxy URL with SharePoint and OneDrive lure, which poses as a file share request," Morphisec revealed in a blog post.

"These URLs lead to a compromised SharePoint or a fake OneDrive site that the attackers use to evade detection, in addition to a sign-in requirement (SharePoint) that helps to evade sandboxes. The macro code can be executed only on a 32-bit version of Office due to compatibility reasons with ActiveX objects (ActiveX control compatibility)," the cybersecurity firm further explained.

Hackers perform anti-sandboxing via the macro code by making sure a couple of queries are true. One query checks if the computer name is equal to the user domain and the user name is equal to admin or administrator.

The cybersecurity firm links the phishing scam to Russia-based threat group TA505 because of the resemblances of the tactics, procedures and techniques used in the campaign. "The similarities extend to the attack chain, the GetandGo functionality, the final payload, and similarities in the domain name pattern," the firm revealed in the blog.

The hacking group TA505 has been active since 2014 and, according to the report, "has a financial motivation for their actions." The group has earned its reputation for constantly changing the kind of malware it uses and for initiating worldwide trends in malware distribution.