A carefully targeted attack on banks was launched in early May using ‘unique scripts’ according to FireEye technicians
The macros were sent in e-mails as Excel files which were specifically aimed at named staff using the contact details and credentials of colleagues to give them veracity and persuade staff to open them. When run, the macros extracted base64 code and created directories in %PUBLIC%\Libraries. After, the malware created a GoogleUpdate task that executes update.vbs every three minutes.
The VBScript is observed by FireEye to be cleverly disguised to appear as a legitimate spreadsheet. This script then leverages the PowerShell to download content including a BAT file which is executed and the resulting data is uploaded to a server. The use of the PowerShell leverage is to avoid detection, while another tool they used was a version of Mimikatz, which is a utility that hackers can use to uncover passwords.
A truly dangerous breach
The BAT file execution was used for the collection of user data, network configuration, local/domain administrator accounts as well as other undisclosed data. The use of the PowerShell is for data exfiltration, used because DNS queries that allowed the malware to communication outside the network then appeared to be routine normal working. A command and control server outside the network then sent instructions to the malware that had placed an ID for itself in the script of the PowerShell.
Macros still a threat
What impressed the FireEye researchers most was the different methods and attention to detail of reconnaissance that went into the exploit. The breach goes to prove that macros are still a threat and should be treated with extreme caution (or disabled). At this time, the extent of the data breach remains undisclosed.