The financial services sector in the U.S. found itself under a barrage of cyberattacks last month, all bent on delivering a powerful backdoor called Minebridge. The attack chain employed a known method called “VBA Stomping” to avoid detection.
According to researchers at FireEye, the campaigns, aimed at enabling further malware infections and espionage efforts, were initiated via phishing emails with attached documents containing malicious macros. The emails were coming from fake domains that were geared to add legitimacy to the messages, resulting in a convincing theme running throughout the proceedings.
For instance, the first campaign, initially spotted on Jan. 7, carried a tax theme (subject line: “Tax Return File,” with IRS-related text in the message). This was reinforced through the use of a CPA-themed domain used in the email addresses: rogerveCPS [dot]com. The attached document meanwhile mimicked an H&R Block-related tax form.
Another campaign, which started on Jan. 28, had a recruiting theme, with messages sent from various emails that all used the domain name agent4career[dot]com. The subject line and message body in this case referenced an “employment candidate with experience in the financial sector,” according to the FireEye research, released on Wednesday – and the attached document purported to be the person’s resume.
“One of the more notable characteristics of this activity was the consistency in themes used for domain registration, lure content, similarities in malicious document macro content and targeting,” according to the research.
VBA Stomping to Hide Malicious Macros
Across campaigns, the attached phishing documents used the “VBA Stomping” tactic to hide their malicious macros. The term refers to “the manipulation of Office documents where the source code of a macro is made to mismatch the pseudo-code (p-code) of the document,” according to FireEye.
P-code is the natural language translation of programming code – essentially, it describes in readable terms what the code is programmed to do.
This mismatching technique has a few benefits when it comes to evading detection. “Static analysis tools focusing on VBA macro source extraction may be fooled into a benign assessment of a document bearing malicious p-code,” according to FireEye’s analysis. And, “when VBA source is removed, and a document is opened in a version of Office for which the p-code was not compiled to execute, a macro will not execute correctly, resulting in potential failed dynamic analysis.”
However, some sophistication is required in order to use the tactic effectively, according to the firm: “An actor’s VBA stomped document containing benign VBA source but evil p-code must know the version of Office to build the p-code for, or their sample will not detonate properly. Additionally, if an actor sends a stomped document, and a user or researcher opens the macro in the Office editor, they will see malicious code.”
In this case, the attackers got around those restrictions by making viewing the macro source impossible within Office. They did this by modifying the PROJECT stream of the document. Within the stream, a module is referenced but not defined – a method that requires a knowledge of the target’s machine and which is suitable for higher-end, more targeted activity.
“[Now the] payloads have the additional burden of needing to fingerprint targets to enable successful execution,” according to FireEye’s report. “While actors with sufficient resources and creativity can no doubt account for these requirements, it is relevant to note that detections for these methodologies will likely yield more targeted activity.”
The Minebridge Payload
The ultimate goal of the document is to infect victims with the Minebridge backdoor. It’s a powerful piece of malware that gives attackers full control of the target environment. Its C2 commands include downloading and executing other malware, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone and gathering system information.
If the document is “detonated” and the malicious macros are executed, the code fetches a ZIP file containing legitimate files required to execute an older copy of Microsoft TeamViewer, which is then renamed to “wpvnetwks.exe.” This malicious TeamViewer instance then side-loads a DLL containing the Minebridge backdoor.
“Minebridge is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote desktop software TeamViewer by DLL load-order hijacking,” according to FireEye’s analysis. “The backdoor hooks Windows APIs to prevent the victim from seeing the TeamViewer application.”
Minebridge makes a connection to a hardcoded command-and-control (C2) server via HTTPS POST requests and by sending TeamViewer chat messages using a custom window procedure hook.
It also establishes persistence by creating a link file at %CISDL_STARTUP%\Windows WMI.lnk, which points to %AppData%\Windows Media Player\wpnetwks.exe, resulting in its launch at user logon.
Attribution Thoughts
Interestingly, Minebridge uses a packer called Minedoor that FireEye has previously seen used by another threat actor, indicating a potential connection – though this is far from a confident assessment.
“We’ve observed a group publicly tracked as TA505 conducting [recent] phishing campaigns that use Minedoor to deliver the FriendSpeak backdoor,” according to the firm.
However, none of the other aspects of the campaigns match up. The FriendSpeak efforts “use spoofed sender addresses, Excel spreadsheets with embedded payloads and campaign-specific domains that masquerade as common technology services,” researchers said. The campaigns delivering Minebridge also appear to be significantly smaller in both volume and scope.
Also, the campaigns delivering Minebridge continued even over Eastern Orthodox Christmas when Russian-speaking actors are commonly inactive; this was not the case for the FriendSpeak campaigns.
“[This] may suggest TA505 actors speak Russian” while the Minebridge actors do not, FireEye researchers concluded. Nonetheless, the firm hasn’t ruled out the possibility that the Minebridge attackers are a subset of TA505, it said.
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.