U.S. Places $5 million Bounty On ‘Evil Corp’ For Weaponizing Microsoft Excel To Spread Malware Payload
Evil Corp may well be best known to millions of viewers of the Mr. Robot TV drama as the multi-national corporation that Elliot and FSociety hack.
However, back in the real world, Evil Corp not only exists but is weaponizing Microsoft Excel to spread a malware payload.
Researchers from Microsoft Security Intelligence have this week taken to Twitter to warn users to be alert to the ongoing campaign being run by Evil Corp, also known as TA505. Like most successful cybercriminals, Evil Corp is constantly evolving in terms of techniques and tools. The latest twist in this felonious tale involves Microsoft Excel as a payload delivery vehicle.
Who or what is Evil Corp?
Evil Corp, or TA505, is a Russia-based hacking group that has been credited with being the mastermind behind a $100 million (£76 million) global bank fraud. Two alleged members of Evil Corp were charged by U.S. prosecutors with bank fraud in December 2019, although both remain at large.
One of them, Moscow-based Maksim Yakubets, is thought to be the Evil Corp leader and currently carries a $5 million (£3.8 million) bounty issued by the U.S. Justice Department.
Meanwhile, the U.S. Department of the Treasury has stated that Yakubets is believed to provide “direct assistance to the Russian government’s malicious cyber efforts.”
Thought to have been active since at least 2014, Evil Corp shows little sign of reigning back on the cybercrime activities it is renowned for: the distribution of banking Trojans and ransomware malware. New research from cyber-intelligence outfit Prevailon suggests that TA505 has compromised more than 1,000 organizations. Organizations that include two U.S. state government networks, two U.S. airlines and one of the world’s top 25 banks.
What is the Excel alert that Microsoft Security Intelligence researchers have tweeted?
In something of a tweetstorm on January 30, the Microsoft Security Intelligence team alerted users to a new and active malware campaign from the Evil Corp actors. After what the Microsoft researchers referred to as “a short hiatus” by Evil Corp, they warned that a new “Dudear” phishing campaign was up and running, still deploying an information-stealing Trojan known as GraceWire but doing so using tweaked tactics.
The use of HTML redirectors, to avoid having to use malicious links in emails or infected attachments, means that the threat actors can directly download a malicious Excel file on the victim to drop the Trojan payload. Not that there is no interaction from the user required, of course. The victim still needs to open the Excel file that is automatically downloaded, and they will still have to enable editing and enable content in order to be infected.
How can you mitigate against the Evil Corp Excel threat?
Microsoft is proving to be more than just reactive to malware threats, adopting a proactive position as far as these kinds of phishing campaigns are concerned. When the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center discovered an advanced persistent threat (APT) hacking group, thought to be operating out of North Korea, using carefully constructed fake domains to spoof victims into thinking they were dealing with Microsoft, a powerful legal counterpunch soon closed them down.
As far as this latest Evil Corp campaign is concerned, however, the biggest mitigation clue has already been given in my last paragraph: don’t enable editing of that Excel file you didn’t ask for, and certainly don’t enable content. Microsoft Security Intelligence has confirmed that Microsoft Threat Protection will stop this latest attack threat, Office 365 also detects malicious attachments and URLs used in such phishing emails. Finally, Microsoft Defender ATP will detect and block the Evil Corp threat trinity of malicious HTML, Excel file and payload.