Possible Detection for MirrorBlast

Quick Post. I was looking at several samples of MirrorBlast and have noticed that while MsiExec is not a child process of Excel, it is still being called through loaded DLLs. Some EDR products should b able to look for this behavior.

Process Path containing Excel.exe with image/module dll load of msimsg.dll might prove to be an interesting way to detect this per my twitter post.

There are of course other DLLs such as msi.dll and msimtf.dll (and others), however the msimsg.dll is the first one that appears to be an anomoly baselines I've run.

Small List of samples with this behavior:

UPDATE: 10/16/2021
Interesting Anti-Sandbox FUD post on Twitter: Initial Detection Opportunity in EDR.

Sandbox Links:
https://app.any.run/tasks/a0a7b338-d362-47ab-a0ee-60feefa910a4/ Of particular interest on these samples is Excel (or most office products and even \users\ processes) touching RegKey Path

In my baselining, this seems to be odd behavior for various process paths, including Excel, WinWord, \users\ and more. This could be an intersting indicator for catching something early. I do not have any false positives to share at this time.

Process Path contains \office or \users\ AND Registry Key Path contains ACTIVECOMPUTERNAME should be a decent generic enough rule to look for this behavior.

If anyone notices any other interesting things to key in on, let me know. Happy Hunting!