A new campaign, dubbed MirrorBlast, is targeting financial services organizations using phishing emails. Believed to have connections with TA505, the recent campaign started in early September.

The MirrorBlast campaign

Mosphisec Labs discovered that the recent campaign has similar tactics, techniques, and procedures often used by the TA505 threat group, which has been active since 2014 and is believed to be based in Russia.
  • Hackers behind the campaign are targeting different countries including Canada, the U.S., Europe, Hong Kong, and others.
  • The campaign is using a phishing email to spread a weaponized Excel document with an extremely lightweight macro code.
  • The attack chain begins with an email attachment, but later pushes users to a Google feedproxy URL with SharePoint and OneDrive related lure.

The MirrorBlast campaign has low detection on VirusTotal, mostly because of the lightweight macro. It poses risk for organizations that depend on detection-based security and sandboxing.

Technical analysis of the campaign

  • When the victims open the document and enable content in Office, before the execution of macros, several anti-sandboxing checks are performed. 
  • When found suitable to execute the malware, a JavaScript downloads and installs an MSI package on the infected machine.
  • The dropped MSI package comes in two different versions, one is written in REBOL while another one is in KiXtart. 
  • The REBOL variant is base64 encoded that infiltrates info such as OS version, architecture, and username.
  • The KiXtart variant is encrypted and tries to exfiltrate basic machine information to the C2. This includes the computer name, domain, process list, and user name.


TA505 is known for specifically targeting financial organizations and is believed to be behind the MirrorBlast campaign. It is important for organizations to protect themselves with adequate security layers, such as anti-phishing solutions and making use of threat actor TTPs to detect and stop the attacks.

Cyware Publisher