Active APT group adds cunning remote template injectors for Word and Excel documents; unique Outlook mass-mailing macro
ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns. One tool, a VBA macro targeting Microsoft Outlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office address book. We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents.
Tools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL/Pterodo, Win32/Pterodo or Win64/Pterodo by ESET’s products.
The Gamaredon group has been active since at least 2013. It has been responsible for a number of attacks, mostly against Ukrainian institutions, as evidenced in several reports from CERT-UA and from other official Ukrainian bodies over time.
In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes. The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different malware variants.
Gamaredon has leveraged many different programming languages in the past few months, ranging from C# to VBScript, batch files and C/C++. The tools used by Gamaredon are very simple and are designed to gather sensitive information from compromised systems and to spread further.
Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. Even though their tools ha ..
Support the originator by clicking the read the rest link below.
