Suspected Russia-Linked Hackers Have Previously Focused on Ukraine
The Gamaredon hacking group is now using a new set of malicious tools to compromise Microsoft Outlook as a way of sending spear-phishing emails to victims’ contact lists, according to security firm ESET.
Over the last six months, ESET researchers have been tracking a series of new hacking tools that Gamaredon has deployed to compromise various devices and services, target additional victims, collect intelligence and spread malware, according to the report.
Active since at least 2013, Gamaredon has been linked to the Russian government and its intelligence services, according to previously released research by Sentinel Labs. Over the years, the hacking group has mainly targeted Ukraine in a series of campaigns.
The Ukrainian Computer Emergency Response Team has also taken notice of Gamaredon’s activities over the years.
What makes the Gamaredon hacking group unusual, according to ESET, is that it has rarely tried to disguise its presence as it tries to target as many victims as possible.
“Contrary to other [advanced persistent threat] groups, the Gamaredon group seems to make no effort in trying to stay under the radar,” this week’s ESET report notes. “Even though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it seems that this group’s main focus is to spread as far and fast as possible in their target’s network while trying to exfiltrate data.”
In the analysis of the new tools that Gamaredon is now deploying, ESET researchers found that the hacking group is able to now compromise Outlook using a custom Visual Basic for Applications – VBA – project file that contains malicious macros.
While using malicious macros to compromise Outlook is not unusual, Gamaeredon’s use of VBA is different, says Jean-Ian Boutin, head of threat research at ESET.
“What stands out in this one is the fact that they used some novel tools,” Boutin tells Information Security Media Group. “The Outlook VBA project used to send emails from the compromised inbox to contacts in the address book is something we’ve never seen before. The macro injection module is quite interesting too. All in all, they’ve shown a creativity we’ve not seen from them in the past.”
The attack starts when a targeted device is first compromised with a phishing email that contains a malicious Word or Excel attachment. It’s these attachments that contain a Virtual Basic script that will stop the Outlook process and disable security tools, including those designed to protect the VBA project function, according to the report.
Malicious email created by compromised VBA project file. (Source: ESET)
The malicious script then plants an OTM file in the VBA project file of Outlook. This allows the hackers to gain access to the victim’s contact list in Outlook. After that, the malicious macros start building new spear-phishing emails that can target those on the victim’s contact list, according to the report.
The compromised VBA file also allows the attackers to create new malicious documents that can be attached to the new spear-phishing emails and sent out to the entire compromised contact list, or a select sample, according to ESET.
“We rarely see threat actors leverage outlook VBA modules to achieve their goals,” Boutin says.
By using this method to compromise Outlook, the Gamaredon hackers can maintain persistence within an organization since the phishing emails are sent from familiar email addresses and increase the likelihood that others will open them, according to the report.
“This is a very efficient way of moving laterally within an organization’s network as documents are routinely shared amongst colleagues,” according to the report. “Also, as these macros are run when opening the documents, it is a good way to persist on a system as some of these documents are likely to be opened multiple times and at different times.”
In addition to maintaining persistence in the network, this attack allows the hacking group to plant backdoors and distribute other malware such as information stealers, according to the report.
The ESET researchers also found examples of these phishing emails in both English and Russian. The analysts also noted several mistakes in the coding, which seems to indicate that the hacking group is still refining this technique.
Zach Varnell, a senior appsec consultant with security firm nVisium, says that one way to prevent these types of attacks is to reinforce rules with employees about running executables and raise awareness of how initial phishing emails can lead to a compromise.
“Prevention would come from the standard security practices around email and running executables,” Varnell tells ISMG. “Add a warning banner for all external emails -this could help prevent the initial compromise, but not the secondary ones – and don’t allow users to run as administrators. You can also implement application whitelisting.”
Managing Editor Scott Ferguson contributed to this report.