At a glance.
- Spearphishing against Japanese political entities.
- Trojanized Windows 10 installers target Ukraine.
- XLL files abused to deliver malware.
Spearphishing against Japanese political entities.
ESET describes a spearphishing campaign that targeted Japanese political entities ahead of the Japanese House of Councillors election in July 2022. The threat actor, tracked by ESET as "MirrorFace," was conducting espionage against a specific political party:
"Purporting to be a Japanese political party’s PR department, MirrorFace asked the recipients to distribute the attached videos on their own social media profiles (SNS – Social Network Service) to further strengthen the party’s PR and to secure victory in the House of Councillors. Furthermore, the email provides clear instructions on the videos’ publication strategy. Since the House of Councillors election was held on July 10th, 2022, this email clearly indicates that MirrorFace sought the opportunity to attack political entities. Also, specific content in the email indicates that members of a particular political party were targeted."
ESET doesn't specify which political party is being targeted, but given that they're calling the campaign "LiberalFace," it would seem likely that the effort is directed at the Liberal Democrats. While other researchers have seen some signs of connections with APT10, ESET is quite clear in saying that it's been unable to come up with any more specific attribution. "MirrorFace is a Chinese-speaking threat actor targeting companies and organizations based in Japan. While there is some speculation that this threat actor might be related to APT10 (Macnica, Kaspersky), ESET is unable to attribute it to any known APT group."
Trojanized Windows 10 installers target Ukraine.
Mandiant has observed a campaign targeting Ukrainian government organizations with Trojanized Windows 10 operating system installers distributed via torrent sites:
"We believe that the operation was intended to target Ukrainian entities, due to the language pack used and the website used to distribute it. The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest. Mandiant has not uncovered links to previously tracked activity, but believes the actor behind this operation has a mandate to steal information from the Ukrainian government."
While the researchers don't attribute the campaign to a particular threat actor, they note that the operation's targets "overlap with organizations targeted by GRU related clusters with wipers at the outset of the war."
XLL files abused to deliver malware.
Researchers at Cisco Talos have published a report looking at the ways in which attackers are using alternative methods to execute malicious code via Office documents, as Microsoft phases out support for VBA macros. Threat actors have recently started introducing malicious code to documents using Office add-ins, which are “pieces of executable code, in various formats and capabilities, that can be added to Office applications in order to enhance the application’s appearance or functionality.” XLL files specifically are useful for executing malicious code via an Excel document:
“If the user attempts to open a file with the filename extension .XLL in Windows Explorer, the shell will automatically attempt to launch Excel to open the .XLL file. This is because .XLL is the default filename extension for a specific class of Excel add-ins.
“Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. This is a similar approach as the message about potentially dangerous code which is displayed after an Office document containing VBA macro code is opened. Unfortunately, this protection technique is often ineffective as a protection against the malicious code as many users tend to disregard the warning.”
Cisco Talos has observed several high-profile threat actors using XLLs to deliver malware, including the Chinese state-sponsored actor APT10 and the financially motivated gang FIN7. The researchers conclude:
“Even if XLL add-ins existed for some time, we were not able to detect their usage by malicious actors until mid-2017 when some APT groups started using them to implement a fully functional backdoor. We also identified that their usage significantly increased over the last two years as more commodity malware families adopted XLLs as their infection vector.
“As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications.”