Gamaredon – Malware Through Outlook Macros
First appearing in the cyber security scene in 2013, Russia-linked hacker group, Gamaredon, has created a new malware spreading module that utilizes Microsoft Outlook. The purpose of this module is to create custom emails that contain malicious documents and send them to the victim’s contacts; Gamaredon achieves this by utilizing a Visual Basic for Applications (VBA) project that targets Microsoft Outlook email client with malicious macro scripts.
The group is also able to disable built-in protections against running macro scripts in Outlook and to plant the source file for spearphishing attacks that spread malware to other victims. While compromising an email account to spread malware to contact is not a novel idea, research analysts at cyber-security company ESET believe that the method being utilized by Gamaredon has not been documented publicly before.
According to multiple sources (see below), the Gamaredon group functions as a proxy for Russian intelligence and pro-Russian groups that have been known to conduct attacks such as espionage and intelligence gathering on Ukrainian forces. As of late, Gamaredon has become more liberal in their attacks and have spread outside simply infiltrating and extracting Ukrainian intelligence, with the group’s experience likely feeding into a “wider understanding of how adversaries respond to its tools, tactics and procedures in order to iterate and improve those for potential use in future conflicts or against other foreign targets (SentinelOne).”
Through analyzing the module, the process begins with a VBScript that terminates the Outlook process. Next, the malicious script modifies the registry values to remove the security against executing VBA macros in Outlook and stores a malicious OTM on the disk. The purpose of this is to help spread infected documents to email addresses in the victim’s contact list.
ESET has observed that the threat actor may spear phish all contact’s in the victim’s address book, everyone within the same organization, or a predefined list of email addresses.
The VBA code itself is responsible for generating the malicious email complete with body text and the malware files. Utilizing this method of distribution tends to be highly efficient as most documents are often shared within an organization and persistence can be achieved since the malicious files are likely to be opened multiple times.
ESET researchers have noted that downloaders (files that can fetch and execute malware from command and control servers) and backdoors (allow unwanted and malicious access to a system or network) are the most prevalent types of malware that are likely to be spread in this way.
There are some actions a network administrator or SOC team can take to prevent this sort of attack such as utilizing different machine-learning technologies to stop advances threats such as macro-enabled documents and malicious binaries. Implementing and maintain a robust employee training program that focuses on typical phishing attacks and modus operandi can go a long way towards preventing multiple types of social engineering and phishing attacks.
As always, every user should be aware of the dangers surrounding clicking on, following, or downloading any suspicious links they receive from an unknown user.
For a complete list of IOCs regarding this new malware campaign from the Gamaredon group, please see the attached PDF, “Gamaredon IOCs.”
Sources: