Gamaredon group uses a new Outlook tool to spread malware

Russia-linked Gamaredon APT use a new module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim’s contacts.

Reseaerchers from ESET reported that Russia-linked Gamaredon APT has a new tool in its arsenal, it is a module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim’s contacts

The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine. In December 2019, the APT group targeted several Ukrainian diplomats, government and military officials, and law enforcement.

The attackers first disable protections for running macro scripts in Outlook then deploy the code to send phishing messages to the victim’s contacts.

The package contains a Visual Basic for Applications (VBA) project (.OTM file) that was specifically designed to target Microsoft Outlook email client with malicious macro scripts.

“ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns.” read the post published by ESET. “One tool, a VBA macro targeting Microsoft Outlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office address book.”

The VBScript first kills the Outlook process if it is running to remove security measures implemented for the VBA macro execution in Outlook, this is done by changing registry values. The script also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of contacts that will be targeted with phishing messages.

Then, it relaunches Outlook with a special option, /altvba <OTM filename>, to load the Gamaredon VBA project. Experts noticed that the new module was used to send malicious emails to:

  • Everyone in the victim’s address book
  • Everyone within the same organization
  • A predefined list of targets

This is the first time researchers publicly document an attack employing an OTM file and Outlook macro to carry out spear-phishing campaigns.

The VBA code builds the email body and attaches the malicious document to the email in both .docx and .lnk formats. 

ESET also analyzed different variants for CodeBuilder that are used to inject malicious macros or remote templates in documents available on the compromised host.

This method is efficient because documents are often shared within the organization and it also achieves persistence since the files are likely to be opened multiple times.

“These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings. Thus, affected users have no idea that they are again compromising their workstations whenever they open the documents.” continues ESET. “We have seen this module implemented in two different languages: C# and VBScript”

The arsenal of the group includes also multiple malware, most of them downloaders and backdoors.

Additional details are included in the analysis published by ESET.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Gamaredon, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

TP-Link Archer C5400X gaming router is affected by a critical flaw

Researchers warn of a critical remote code execution vulnerability in TP-Link Archer C5400X gaming router.…

47 mins ago

Sav-Rx data breach impacted over 2.8 million individuals

Prescription service firm Sav-Rx disclosed a data breach that potentially impacted over 2.8 million people…

10 hours ago

The Impact of Remote Work and Cloud Migrations on Security Perimeters

Organizations had to re-examine the traditional business perimeter and migrate to cloud-based tools to support…

18 hours ago

New ATM Malware family emerged in the threat landscape

Experts warn of a new ATM malware family that is advertised in the cybercrime underground,…

20 hours ago

A high-severity vulnerability affects Cisco Firepower Management Center

Cisco addressed a SQL injection vulnerability in the web-based management interface of the Firepower Management…

1 day ago

CERT-UA warns of malware campaign conducted by threat actor UAC-0006

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat…

2 days ago

This website uses cookies.