Pierluigi Paganini June 12, 2020

Russia-linked Gamaredon APT use a new module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim’s contacts.

Reseaerchers from ESET reported that Russia-linked Gamaredon APT has a new tool in its arsenal, it is a module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim’s contacts

The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine. In December 2019, the APT group targeted several Ukrainian diplomats, government and military officials, and law enforcement.

The attackers first disable protections for running macro scripts in Outlook then deploy the code to send phishing messages to the victim’s contacts.

The package contains a Visual Basic for Applications (VBA) project (.OTM file) that was specifically designed to target Microsoft Outlook email client with malicious macro scripts.

“ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns.” read the post published by ESET. “One tool, a VBA macro targeting Microsoft Outlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office address book.”

The VBScript first kills the Outlook process if it is running to remove security measures implemented for the VBA macro execution in Outlook, this is done by changing registry values. The script also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of contacts that will be targeted with phishing messages.

Then, it relaunches Outlook with a special option, /altvba <OTM filename>, to load the Gamaredon VBA project. Experts noticed that the new module was used to send malicious emails to:

• Everyone in the victim’s address book
• Everyone within the same organization
• A predefined list of targets

This is the first time researchers publicly document an attack employing an OTM file and Outlook macro to carry out spear-phishing campaigns.

The VBA code builds the email body and attaches the malicious document to the email in both .docx and .lnk formats. 

ESET also analyzed different variants for CodeBuilder that are used to inject malicious macros or remote templates in documents available on the compromised host.

This method is efficient because documents are often shared within the organization and it also achieves persistence since the files are likely to be opened multiple times.

“These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings. Thus, affected users have no idea that they are again compromising their workstations whenever they open the documents.” continues ESET. “We have seen this module implemented in two different languages: C# and VBScript”

The arsenal of the group includes also multiple malware, most of them downloaders and backdoors.

Additional details are included in the analysis published by ESET.

Pierluigi Paganini

(SecurityAffairs – Gamaredon, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]