Key Points: Morphisec Labs tracked a new MirrorBlast campaign targeting financial services organizations MirrorBlast is delivered via a phishing email that contains malicious links which download a weaponized Excel document MirrorBlast has low detections on VirusTotal due to the extremely lightweight macro embedded in its Excel files, making it particularly dangerous for organizations that depend on detection-based security and sandboxing Introduction
Financial organizations are historically among the most targeted by threat actors. There are many reasons for this, not least of which is the trove of customer data the financial sector holds, as well as the funds to pay large sums of money to regain access to encrypted data.
The Morphisec Labs team has tracked a new version of a campaign targeting financial organizations. Dubbed “MirrorBlast” by ET Labs, the current attack campaign the Labs team has tracked began in early September. There was similar activity in April 2021 as well, but the current campaign began more recently.
The attack chain of the infection bears a similarity to the tactics, techniques, and procedures commonly used by the allegedly Russia-based threat group TA505. The similarities extend to the attack chain, the GetandGo functionality, the final payload, and similarities in