The Gamaredon threat group has given its post-compromise toolset a facelift with the addition of a new Visual Basic for Applications (VBA) macro. The VBA macro leverages compromised victims’ Microsoft Outlook email accounts to send spear-phishing emails to their contacts – rapidly widening the potential attack surface.
Researchers say, while abusing a compromised mailbox to send malicious emails is not a new technique, this is the first publicly documented case of an attack group using both an Outlook macro and an OTM file to do so. An OTM file stores macros that are written for Microsoft Outlook.
“In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes,” according to Jean-Ian Boutin, senior malware researcher with ESET, in a Thursday analysis. “The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different malware variants.”
After the victim is initially compromised (typically via a spear-phishing email with a malicious attachment), malicious code is first delivered in a 7z self-extracting archive. 7z are compressed archive files created with 7-Zip open source software. The code runs a VBScript that first kills the victim’s Outlook process (if it is running), and then removes any security protections around VBA macro execution in Outlook by changing registry values.
It then saves a malicious OTM file (used to store Outlook VBA projects) to the disk. The OTM file contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to.
“Outlook VBA macros are contained within the OTM file,” Boutin told Threatpost. “They launch Outlook … this will then load the malicious VBA project responsible to send the emails from the compromised inbox.”
Cybercriminals then use the module to create and send emails to everyone in the victims’ address book, everyone within the victims’ organizations and a predefined list of targets. When building an email to send to victims’ contacts, the VBA code builds the body and attaches the malicious document (either via .docx and .lnk files) to it. The sample emails observed have contained both English and Russian text.
One sample email found by researchers was titled: “New Contact Email” and asked victims to open an attachment labeled “contact.docx,” telling them in the body of the email that they’d exhausted the allowed storage space.
“Based on the ‘send to all in contact list’ behavior of this malicious VBA code, we believe that this module might have led some organizations to think they were targeted by Gamaredon when they were merely collateral damage,” said Boutin. “For example, recent samples uploaded to VirusTotal coming from regions that are not traditionally targeted by Gamaredon, such as Japan, could be explained by the actions of this module.”
Future of Gamaredon
Gamaredon has also continually updated its various custom tools that target data exfiltration. That includes a C# compiler module that it uses as a downloader, a C/C++ successor to the USBStealer module (used to steal data), and a Batch file/VBScript, used to scan the system for sensitive documents.
The advanced persistent threat group (APT), which has been active since at least 2013, is responsible for a number of high-profile attacks, including recent attacks on Ukrainian national security targets.
Researchers said, while tools utilized by Gamaredon have historically been very simple and are designed to gather sensitive data from compromised systems, the Outlook VBA module may reflect future sophistication in cyberattacks.
“Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module,” they said. “However, as it is far from stealthy, in the long run it is no match for a capable organization. The variety of tools Gamaredon has at its disposal can be very effective at fingerprinting a machine and understanding what sensitive data is available, then spreading throughout the network. Could this just be a way to deploy a much stealthier payload?”