New tools attributed to the Russia-linked Gamaredon hacker group include a module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim's contacts.
The threat actor disables protections for running macro scripts in Outlook and to plant the source file for the spearphishing attacks that spread malware to other victims.
Gamaredon has been in the cyber espionage game since at least 2013, targeting national security institutions in Ukraine for political and military gain. It became more active since December 2019.
Automated spear phishing
A new package used by Gamaredon (Primitive Bear) in recent malicious campaigns contains a Visual Basic for Applications (VBA) project (.OTM file) that targets Microsoft Outlook email client with malicious macro scripts.
Compromising an email account to spread malware to contacts is not a new method but malware analysts at cyber-security company ESET believe that the method used by Gamaredon has not been publicly documented before.
Analyzing the module, the researchers saw that the chain of events starts with a VBScript that terminates the Outlook process.
Next, the script modifies registry values to remove security against executing VBA macros in Outlook and stores on the disk a malicious OTM file that helps spread infected documents to email addresses in the contact list.
Outlook supports only one VBA project at a time and the OTM file used in Gamaredon activity contains a VBA script (macro), a malicious email attachment.
Sometimes, it may also include a list of targets that should get the messages. According to ESET, the threat actor may spear phish all contacts in the victim's address book, everyone in the same org ..
Support the originator by clicking the read the rest link below.
