ESET researchers say Gamaredon group targets Microsoft Office and Outlook
ESET researchers have discovered new tools used by the Gamaredon group in its latest malicious campaigns. The first Microsoft Outlook target tool using a Microsoft Outlook Visual Basic for Applications (VBA) custom project, which allows hackers to use a victim’s email account to send phishing emails to contacts his address book. Using Outlook macros to spread malware is a method rarely seen by researchers. The second tool is used by this very active group to inject macros and references to remote models in Word and Excel documents. These two tools are designed to help the Gamaredon group to spread further in already compromised networks.
“In the past few months, we’ve seen an increase in activity for this group, with constant waves of malicious email hitting their target’s mailboxes. Attachments to these emails are documents containing malicious macros which, when executed, attempt to download a multitude of different types of malware, “said Jean-Ian Boutin, Head of Threat Research at ESET.
The latest versions of these tools inject malicious macros or references to remote models into existing documents on the attacked system, which is a very effective way to move around a company network, because collaborators regularly share documents. With a special feature that allows you to change the security settings of Microsoft Office macros, affected users are completely unaware that they are compromising their workstation again when they open documents.
The group uses backdoors and file analyzers to identify and collect sensitive documents in a compromised system in order to upload them to a command and control server. These file analyzers also have functions for executing arbitrary code from the command and control server.
There is a major distinction between Gamaredon and other groups: these hackers make little or no effort to escape detection. Even if their tools are capable of using stealth techniques, it seems that the main objective of this group is to spread as deeply and as quickly as possible in the network of its targets to exfiltrate data there.
“While hijacking a compromised mailbox to send malicious emails without the victim’s consent is nothing new, we believe this is the first publicly documented case of a group of hackers using a OTM file and an Outlook macro to achieve this, ”adds Mr. Boutin about the discovery of ESET. “We were able to collect numerous samples of different scripts, executables and malicious documents used by the Gamaredon group throughout its campaigns. “
Typical infection chain for a Gamaredon campaign
The Gamaredon group has been active since at least 2013. It has been responsible for a number of attacks, mainly against Ukrainian institutions.
The tools analyzed in this study were detected as variants of MSIL / Pterodo, Win32 / Pterodo or Win64 / Pterodo, by ESET products.
For more technical details on Gamaredon’s latest tools, read the full article “The Gamaredon group continues to grow” on the WeLiveSecurity.com blog.