MineBridge Malware Puts Companies on High Alert | Threat Spotlight
Whether you are a security analyst looking for technical information on how the MineBridge malware works or an information security manager seeking advise on how to protect your organization from the malware, you are at the right place.
Threat actors are in constant search for innovative techniques to evade detection and inject malware onto the victim network. In one of the recent cyber-attacks, the Microsoft Windows Finger utility was abused to deliver the MineBridge payload. This command is generally used by network administrators to see the list of users on a remote machine in a network. However, security researchers identified a new methodology to convert Finger into a file loader and C&C server for the exfiltration of data. This attack chain utilises a known technique called “VBA Stomping” to evade detection.
MineBridge campaigns don’t look like phishing, but they are
As per the researchers, the phishing campaigns, aimed at enabling further malware infections for lateral movement and a potential espionage effort, were initiated via phishing emails containing malicious macro backdoor as attachments. These emails were sent from fake domains that looked legitimate.
One of the campaigns carried a tax theme (subject line: “Tax Return File,” with IRS-related text in the message). The threat actors tried to look legitimate by using a CPA-themed domain in the email addresses: rogerveCPS [dot]com. The attached macro virus mimicked an H&R Block-related tax form.
Another campaign had a recruiting theme with messages sent from various emails. The domain name used was agent4career[dot]com. The subject line and message body referenced an “employment candidate with experience in the financial sector,” and the attached document was posed as an applicant’s resume.
How does MineBridge malware work?
Cybercriminals are targeting users with phishing emails which ultimately infect their device with MineBridge malware. Threat actors are embedding malicious macro virus into Word documents which are disguised as applicant’s resumes or tax return details. As soon as the victim clicks on “Enable Editing” or “Enable Content” after opening, it triggers the payload.
The malware hides itself in TeamViewer application, a remote desktop software used for accessing systems through admin access. It enables complete access to the victim’s computer and can be potentially leveraged to listen conversations through the device’s microphone.
After the execution of the MineBridge malware, it downloads and executes another payload. Downloading of some arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone, and gathering system UAC information are some of the C2 commands that the MineBridge malware carries with it.
Fortunately, the Windows Finger command isn’t very popular today, but the command should be blocked on the network.
The MineBridge payload
A threat actor has the capability to overcome the restrictions via Windows NetSh Portproxy port redirection utilising the TCP protocol. The proof-of-concept (PoC) exploits have been published in September 2020. However, the hackers abused the Finger utility in the wild only in January 2021.
The end goal of the document containing the Macro virus is to infect the victim’s machine with the MineBridge backdoor. It is a very powerful malware that enables the attackers to gain full control of the target environment. In case the document is “detonated”, and the malicious macros are executed, the MineBridge code downloads a ZIP file containing legitimate files which are required to execute an older, a vulnerable copy of Microsoft TeamViewer. This is then renamed to “wpvnetwks.exe.” The malicious TeamViewer binary is then leveraged to side-load a DLL containing the actual MineBridge backdoor.
MineBridge is a 32-bit C++ backdoor developed to be loaded by an unpatched version of the legitimate TeamViewer remote desktop software by utilising a technique called DLL load-order hijacking. The backdoor hooks Windows APIs so that the victim is not able to see the TeamViewer application.
MineBridge backdoor makes an outbound connection to a command-and-control (C2) server with the help of HTTPS POST requests. It sends TeamViewer chat messages using a custom window procedure hook.
The persistence is enabled by creating a link file at %CISDL_STARTUP%\Windows WMI.lnk, which ultimately points to %AppData%\Windows Media Player\wpnetwks.exe. It results in the launch at user login.
Tactics: Execution, Defense Evasion
Techniques: Signed Binary Proxy Execution (T1218)
SISA’s response to the MineBridge malware concerns
The first identification of the MineBridge malware was done a year ago using phishing campaigns with fraudulent job applications.
This is not the first instance when the Finger utility has been leveraged to deliver malicious payloads to a victim’s device. In September 2020, it was discovered that the Finger command could be used to bypass security controls in order to download malware remotely without triggering antivirus alerts.
Since the Finger command is rarely used, it is recommended that the system administrator block the command to prevent the computers from being infected with the MineBridge malware.
As employees continue to work remotely, there is a growing threat posed by phishing campaigns, and hence it is even more important for companies to deploy endpoint security controls.
Here are some recommendations made by the advisory team at SISA to help you counter the MineBridge malware:
- Always disable macros in your Microsoft Office applications as long as it does not come under your business needs.
- Never open any suspicious emails or attachments.
- Immediately delete any emails from unknown people, containing any suspicious content. Spam email is the main method through which the macro malware spreads.