Gamaredon grows by targeting Microsoft Outlook and Office
ESET, an antivirus company has discovered that Gameradon has been growing fast by developing new tools that target Microsoft Office and Outlook.
Gameradon is an advanced persistent threat (APT) group, active since 2013 that mostly targets Ukrainian institutions. New tools have been attributed to the API, developing a module for Microsoft Outlook that creates mails and sends it to the victims or sends the mails from the victims’ accounts to their contacts.
These emails contain malicious documents with macros and malware links. The hacker group runs macro scripts in Outlook by disabling protections and plants source files for spearfishing and rapidly spreading the malware to other systems.
Gameradon uses a new method to target Outlook
Gameradon has been using an unusual way of attacking Outlook by a new package that contains Visual Basic for Applications (VBA) project (.OTM file) to target emails with macro scripts.
“While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it,” says researchers at ESET.
The process of attack starts from disabling the Outlook process with a VBScript. Then this script removes further security that would restrict executing VBA macros in Outlook. The macro script stores the OTM file on the disk that spreads the malicious emails to the contact list.
“These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings. Thus, affected users have no idea that they are again compromising their workstations whenever they open the documents. We have seen this module implemented in two different languages: C# and VBScript” – ESET
Since the Outlook runs one VBA project at a time, the threat actors use the OTM file containing the VBA script in the email attachment. This VBA code can create emails fully efficient with a body, text, and the document containing malware.
Gamaredon’s scripts, the researchers found relies and focus more on the speed of infection and development than quality as evident by mistakes found in source code and language.
