Security News > 2020 > February > U.S. Finance Sector Hit with Targeted Backdoor Campaign

The financial services sector in the U.S. found itself under a barrage of cyberattacks last month, all bent on delivering a powerful backdoor called Minebridge.

The term refers to "The manipulation of Office documents where the source code of a macro is made to mismatch the pseudo-code of the document," according to FireEye.

Some sophistication is required in order to use the tactic effectively, according to the firm: "An actor's VBA stomped document containing benign VBA source but evil p-code must know the version of Office to build the p-code for, or their sample will not detonate properly. Additionally, if an actor sends a stomped document, and a user or researcher opens the macro in the Office editor, they will see malicious code."

The ultimate goal of the document is to infect victims with the Minebridge backdoor.

If the document is "Detonated" and the malicious macros are executed, the code fetches a ZIP file containing legitimate files required to execute an older copy of Microsoft TeamViewer, which is then renamed to "Wpvnetwks.exe." This malicious TeamViewer instance then side-loads a DLL containing the Minebridge backdoor.

News URL

https://threatpost.com/us-finance-sector-targeted-backdoor-campaign/152634/