Notorious hacking group Gamaredon is currently using a variety of new post-compromise attack tools to target Microsoft Outlook and Office and to inject malicious macros and remote templates into existing Office documents.
Gamaredon is a Russia-backed advanced persistent threat (APT) group that has been active since 2013. Gamaredon has targeted many Ukrainian organisations in recent years. Security experts believe this group operates as a proxy for pro-Russian groups with a responsibility to launch attacks such as intelligence gathering on Ukrainian military forces.
The tools being used by Gamaredon are very simple, which attempt to steal sensitive data from machines, while spreading deeper in the network.
According to researchers, the Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project.
“This bundle of malicious code starts out with a VBScript that first kills the Outlook process if it is running, and then removes security around VBA macro execution in Outlook by changing registry values” the ESET researchers state in their report.
“It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to.”
After infecting the Outlook, hackers use the email account to send malicious email to:
(1) all contacts in the victim’s address book
(2) everyone within the same organisation
(3) A predefined list of targets.
While hacking groups frequently use compromised email accounts to send malicious emails without the user’s consent, researchers believe this is likely the documented case of hackers using an Outlook macro and OTM file to send malicious emails to potential targets.
Researchers also discovered several new modules being used by Gamaredon members to inject malicious templates or macros into documents present on the compromised machines.
This technique enables hackers to move laterally within a compromised network as employees routinely share documents with their colleagues, according to researchers.