In January 2021, researchers discovered an example of a malicious document distributing MINEBRIDGE RAT through malicious macro code. The content of the document is similar to the job resume of a threat intelligence analyst. In this case, the malware is aimed at security researchers. Based on the decoy theme and the malware’s C&C structure, the researchers attributed it to the TA505 Group with moderate confidence. The Group is an economically motivated threat Group and has been active since at least 2014.
In order to conduct a technical analysis of the attack process, we will look at the Word document with macro-based: f95643710018c437754b8a11cc943348
After opening a Word document and enabling macros, it will display the message: “File has been successfully converted from PDF” for social engineering purposes.
After this message appears, the decoy file will be displayed as shown below. The content of the decoy document is displayed, which is similar to the job resume (CV) of a threat intelligence analyst.
The macro code uses string obfuscation.
Phase 1 : SFX Archive
An SFX decoded with certutil.exe, disguised as a legitimate TeamViewer application.
Phase 2-DLL side loading
The legal binary file defender.exe is the TeamViewer application version 11.2.2150.0, which is susceptible to loading on the DLL side. After execution, it will load the msi.dll binary file that exists in the same directory. msi.dll is a file that performs further malicious activities in the system.
Phase 3 : MINEBRIDGE RAT DLL
It is a RAT DLL compressed by UPX.