FireEye Researchers First Spotted ‘Minebridge’ in Early January
FireEye researchers are tracking a hacker campaign using a new type of backdoor they call “Minebridge” that has primarily been targeting U.S. financial firms this year.
The campaign, which appears to have started around Jan. 7, involves planting the Minebridge backdoor into corporate networks to deliver other malware and allow attackers to map the infrastructure, according to a new FireEye report.
The attackers first target employees with phishing emails that contain malicious attached documents, in some cases a Microsoft Word file. If the target of these emails opens the malicious file, macros then begin to install the Minebridge backdoor, according to the report.
The phishing emails come from domains that were created to appear legitimate and were registered in the weeks before the first attacks began, according to FireEye. In one example, victims received phishing messages from a domain called “agent4career.com,” which appeared to be a recruiting firm, the report finds.
And while most of the targets of the Minebridge campaign are U.S.-based financial firms, some of the phishing emails have also been sent to South Korean organizations, including a marketing agency, the report finds.
“FireEye has not yet observed any instances in which a host has been successfully compromised by Minebridge,” the report finds, noting that the campaign is still active.
So far, researchers identified three phishing campaigns that have attempted to plant the Minebridge backdoor in corporate networks.
In the first campaign, which started about Jan. 7, the attackers targeted U.S. financial firms using an email with the subject line “Tax Return File,” and some wording taken from the U.S. Internal Revenue Service in the body of the message, according to the report. The malicious payload was hidden inside an attached document that appeared to come from H&R Block, a company that helps prepare tax returns, the report adds.
On Jan. 8, phishing emails were sent to firms in South Korea, according to FireEye. These messages used subject lines concerning marketing partnerships. The malicious payload was hidden inside an attached Word document and the email contained instructions to “enable editing” in order to view the content, according to the report. If that feature was enabled, then the macros could install the backdoor, according to the report.
On Jan. 28, a third phishing campaign again targeted U.S. financial firms with messages that appeared to come from someone with financial experience looking for a job, according to the report. In this case, the malicious payload was disguised in an attached resume document, FireEye says.
The FireEye researchers say all three phishing campaigns used a technique called “VBA stomping” to help hide the macros and bypass anti-virus detection and other security tools.
VBA stomping involves the manipulation of Office documents where the source code of a macro is made to mismatch the pseudo-code or p-code of the document. Using this technique, “static analysis tools focusing on VBA macro source extraction may be fooled into a benign assessment of a document bearing malicious p-code,” according to the report.
The attackers also appear to have used another tool called Evil Clippy, which works across Windows, Linux and macOS and is capable of manipulating the macro part of the Cobalt Strike penetration testing platform to evade anti-virus products and other malicious document analysis tools (see: The Malicious Macros Problem May Be Solved Soon).
How Backdoor Works
While the FireEye researchers did not find an instance where these phishing campaigns achieved their goals, analysts did discover more details about the Minebridge backdoor.
Written in the C++ programming language, the Minebridge malware implants itself within Microsoft TeamView, remote desktop software that allows an outside party to connect to a Windows device, according to the report. Once installed, the backdoor attempts to connect to a command-and-control server controlled by the attackers, FireEye found.
If successfully installed, the malware gives the attackers capabilities such as “executing payloads, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone and gathering system [User Access Control] information,” according to the report.
The FireEye researchers also found that the Minebridge samples use a loader call Minedoor, which is associated with TA505, a advanced persistent threat group that recently started targeting financial companies after a short hiatus, according to the report.
TA505 had previously used Minedoor to deliver backdoor malware called Friendspeak, the report adds.
In January, the Microsoft Security Intelligence team reported that TA505 had returned with a campaign that uses HTML redirectors to deliver malicious Excel documents. TA505, which is believed to be based in Russia, has targeted banks, financial institutions, retailers and other businesses in multiple countries, including the U.S., over the last six years (see: TA505 APT Group Returns With New Techniques: Report)
FireEye researcher note, however, that there is only limited overlap between the techniques used to deliver Minebridge and Friendspeak, which could mean that TA505 is not behind this latest phishing campaign. The security firm added that the Minebridge campaign is also a lot smaller in volume and scope compared to attacks conducted by TA505.