In its coverage of the situation, ZDNet said the MirrorBlast attack begins with a seemingly innocent document attached in an email. Once that attachment is clicked on, it sends out a file share request that pulls down and opens the dangerous Excel document on the user’s computer.
ZDNet reviewed the MirrorBlast email in question and said the attackers “are exploiting the theme of company-issued information about COVID-related changes to working arrangements.” After the email recipient clicks on the file, the malicious file hoodwinks victims into allowing macros to be run. That, in turn, allows the malware to do further damage.
“Macros, scripts for automating tasks, have become a popular tool for cyberattackers,” said ZDNet’s Liam Tung. “While macros are disabled in Excel by default, attackers use social engineering to trick potential victims into enabling macros.”
Security researchers say attack may be linked to Russia
Arnold Osipov, a researcher at security firm Morphisec, says financial organizations are a favorite target for hackers because of the “trove of customer data the financial sector holds, as well as the funds to pay large sums of money to regain access to encrypted data.”
In Morphisec’s estimation, the attack could be coming from Russia and a cybercrime organization known to researchers as “TA505.” Osipov notes that the organization “is most known for frequently changing the malware they use as well as driving global trends in malware distribution.”
Making matters worse, Morphisec researchers said their analysis of the malware showed that the malicious Excel files have the ability to bypass malware-detection systems. The firm said it will continue to track this campaign and will provide updates as necessary on its website.