Gamaredon group using new tools to target Microsoft Outlook and Office, researchers warn

And they are making no efforts to stay under the radar

Notorious hacking group Gamaredon is currently using a variety of new post-compromise attack tools to target Microsoft Outlook and Office and to inject malicious macros and remote templates into existing Office documents.

The warning comes from the researchers at cyber security firm ESET, who state in a new report that the members of Gamaredon have intensified their activities in recent months and make no effort to stay under the radar.

Gamaredon is a Russia-backed advanced persistent threat (APT) group that has been active since 2013. Gamaredon has targeted many Ukrainian organisations in recent years. Security experts believe this group operates as a proxy for pro-Russian groups with a responsibility to launch attacks such as intelligence gathering on Ukrainian military forces. In March, Gamaredon was observed taking advantage of the COVID-19 pandemic to trick targets.

Now, ESET researchers say they have recently seen the group sending a large number of spear-phishing emails with attachments containing malicious macros that, when run, attempt to download various malware variants on the targeted machine.

The tools being used by Gamaredon are very simple, which attempt to steal sensitive data from machines, while spreading deeper in the network.

According to researchers, the Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project.

"This bundle of malicious code starts out with a VBScript that first kills the Outlook process if it is running, and then removes security around VBA macro execution in Outlook by changing registry values" the ESET researchers state in their report.

"It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to."

After infecting the Outlook, hackers use the email account to send malicious email to: (1) all contacts in the victim's address book, (2) everyone within the same organisation, and (3) a predefined list of targets.

While hacking groups frequently use compromised email accounts to send malicious emails without the user's consent, ESET researchers believe this is likely the documented case of hackers using an Outlook macro and OTM file to send malicious emails to potential targets.

ESET team also discovered several new modules being used by Gamaredon members to inject malicious templates or macros into documents present on the compromised machines.

This technique enables hackers to move laterally within a compromised network as employees routinely share documents with their colleagues, according to researchers.