Explosive New MirrorBlast Campaign Targets Financial Companies

In September a malspam campaign was observed delivering Excel documents as an attachment. This campaign targets multiple sectors from Canada, the United States, Hong Kong, Europe, and more. The attack chain starts with an email attachment document, but at a later stage, it changes to use the Google feedproxy URL with SharePoint and OneDrive lure, which poses as a file share request. These URLs lead to a compromised SharePoint or a fake OneDrive site that the attackers use to evade detection, in addition to a sign-in requirement (SharePoint) that helps to evade sandboxes. The Excel document is weaponized with an extremely lightweight macro code. The macro code can be executed only on a 32-bit version of Office due to compatibility reasons with ActiveX objects (ActiveX control compatibility). The macro code performs anti sandboxing by checking if the following queries are true: 1. Computer name is equal to the user domain. 2. Username is equal to admin or administrator. Different variants were observed of the document, in the first variants there wasn't any anti-sandboxing and the macro code was hidden behind the Language and Code document information properties, later it moved to the sheet cells. Additionally, the code has been added one more obfuscation layer on top of the previous obfuscation The command executes JScript through the AddCode method from the ScriptControl ActiveX object (ScriptControl Methods). This method loads and evaluates the code similarly to how Run or Evaluate executes the statement (the official documentation might be misleading).