ta505 macro doc

TA505 uses dll-sideloading to distribute MINEBRIDGE RAT

Introduction

In January 2021, researchers discovered an example of a malicious document distributing MINEBRIDGE RAT through malicious code. The content of the document is similar to the job resume of a threat intelligence analyst. In this case, the is aimed at security researchers. Based on the decoy theme and the malware’s C&C structure, the researchers attributed it to the TA505 Group with moderate confidence. The Group is an economically motivated threat Group and has been active since at least 2014.

Attack process

ta505 attack process

analysis

In order to conduct a technical analysis of the attack process, we will look at the Word document with -based: f95643710018c437754b8a11cc943348

After opening a Word document and enabling macros, it will display the message: “File has been successfully converted from PDF” for social engineering purposes.

After this message appears, the decoy file will be displayed as shown below. The content of the decoy document is displayed, which is similar to the job resume (CV) of a threat intelligence analyst.

ta505 document
ta505 document

The code uses string obfuscation.

ta505 macro

Phase SFX Archive

An SFX decoded with certutil.exe, disguised as a legitimate TeamViewer application.

Phase 2-DLL side loading

The legal binary file defender.exe is the TeamViewer application version 11.2.2150.0, which is susceptible to loading on the DLL side. After execution, it will load the msi.dll binary file that exists in the same directory. msi.dll is a file that performs further malicious activities in the system.

Phase MINEBRIDGE  DLL

It is a RAT DLL compressed by UPX.

IOCs

billionaireshore.top
vikingsofnorth.top
realityarchitector.top
gentlebouncer.top
brainassault.top
greatersky.top
unicornhub.top
corporatelover.top
bloggersglobbers.top


f95643710018c437754b8a11cc943348
41c8f361278188b77f96c868861c111e
73b7b416d3e5b1ed0aa49bda20f7729a
d12c80de0cf5459d96dfca4924f65144
59876020bb9b99e9de93f1dd2b14c7e7
23edc18075533a4bb79b7c4ef71ff314
f590e1b6a80cf3e8360388382eabb04b3e247b78
0d6792c007eb5de0f554e727fc390c576472e99e
43a1f3cf696e769ce0e29bfe6f7943fa9faee36e
96da5f9bc682ce07a2de13be4cc7ce1f315f3cec
321b5dbbc36ac4946955905f9dd4f44b15df30cbfd7d2be1d8b6171c1ee71b67
a23684548312e7acb7a05abc240016e4e9430c63d7958b4ed270abf8895a71d4
2722583e6895d6d1d1a3c7baad1090fb8e9395ee5fb58c4e035a1ee8a54751bd
c5835c9f8de647d2454eb59f151c8b2294c2f676bbb165150d1dec13dc2d27de