An attack campaign has targeted financial services using a new type of backdoor since early January, FireEye said.
The campaign involves installing the Minebridge backdoor into corporate networks to download other malware and to give attackers a foothold to map the infrastructure, FireEye said in its report. The purpose appears to be infecting systems with other types of malware and/or stealing information. While most of the victims appear to be financial firms in the United States, some of the messages have been sent to organizations in South Korea. The campaign is still ongoing.
"FireEye has not yet observed any instances in which a host has been successfully compromised by Minebridge," the report said.
Once the attack document is opened and the malicious macros are executed, the backdoor connects to the command-and-control server with a ZIP file containing files to install an older copy of TeamViewer. This version of TeamViewer then side-loads a DLL library containing Minebridge. Once installed, the backdoor connects to a command-and-control server under the control of the attackers. The backdoor is capable of downloading and executing other malware and arbitrary files, update and delete itself, listing all the processes running on the system, shutting down and rebooting the system, executing arbitrary shell commands, gathering system information, and turning on or off TeamViewer’s microphone, FireEye said.
“Minebridge is a 32-bit C++ backdoor designed to be loaded by an older, unpatched instance of the legitimate remote desktop software TeamViewer by DLL load-order hijacking,” the researchers said in the report. The backdoor hooks into the Windows API to prevent the recipient from seeing the TeamViewer application.
Multiple Campaigns
Researchers have identified three distinct waves of attacks attempting to plant the Minebridge backdoor. The campaign starts with phishing emails containing malicious attached documents sent from recently-registered domains, FireEye said. If the recipient opens the files—in some cases a Microsoft Word file—the embedded macros install the backdoor onto the network.
In the first wave, the phishing messages had the subject line “Tax Return File” and was sent from an address that seemed to be from an acountant. The message body contained text referencing the United States Internal Revenue Service and the malicious payload was hidden in the attachment, which looked like a document from tax return preparation company H&R Block.
In the second attack, the messages were sent to South Korea and had subject lines referencing marketing partnerships. In that instance, the malicious payload was inside a Word document with macros. The message contained instructions to the recipient to enable editing so that the macros could execute (since macros are typically disabled by default) and install the backdoor.
The latest attack campaign targeted financial firms in the U.S. with messages pretending to come from someone looking for a job. The message body references an “employment candidate with experience in the financial sector,” and the domain name was "agent4career", which could be mistaken for a recruiting company. The malicious payload was hidden in a document which was supposed to be a resume.
“One of the more notable characteristics of this activity was the consistency in themes used for domain registration, lure content, similarities in malicious document macro content and targeting,” according to the research.
Evading Detection
All three campaigns used the “VBA stomping” technique to hide the macros and the Evil Clippy tool to help the macros evade detection by security tools. VBA stomping manipulates Office documents in a way that the macro’s source code doesn’t match the document’s pseudocode. This is done so that “static analysis tools focusing on VBA macro source extraction may be fooled into a benign assessment of a document bearing malicious p-code,” FireEye wrote in the report.
P-code is a readable version of what the programming code is trying to do. Code analysis tools looking at VBA macros may be fooled into thinking the document is benign when the p-code and the actual macro source code are different, FireEye said. “When VBA source is removed, and a document is opened in a version of Office for which the p-code was not compiled to execute, a macro will not execute correctly, resulting in potential failed dynamic analysis.”
This requires some skill on the part of the attacker since the attacker would need to know the version of Office to build the p-code for, or the sample will not work properly.
The attackers also made it impossible to view the source code in Office by modifying the document’s PROJECT stream. The module is referenced but not defined—which means the attacker had to know the recipient’s machine.
These two things suggest that these attacks were targeted and not just trying to go after a wide net of financial services organizations.
“The payloads have the additional burden of needing to fingerprint targets to enable successful execution,” FireEye said. “While actors with sufficient resources and creativity can no doubt account for these requirements, it is relevant to note that detections for these methodologies will likely yield more targeted activity.”