Gamaredon Hackers Using New Tools for Microsoft Outlook, Office, and Excel
A Russia-linked APT group named Gamaredon (aka Primitive Bear) has been using several undocumented post-compromise tools in various malicious campaigns since 2013 and was recently observed making further updates to its tactics.
According to ESET, there has been an increase in activity from this group in the last few months, with new waves of malicious emails to exfiltrate data. The group added new remote template injectors for Word and Excel documents, as well as mass-mailing macros for Outlook.
- In a campaign spanning several months, the hackers deployed a new module (implemented in C# and VBScript) for Microsoft Outlook accounts to send spear-phishing messages to people in their contacts list.
- Researchers believe that the hackers were trying to infiltrate unidentified government organizations using another tool that injects malicious code into Microsoft Office documents.
- The third module called CodeBuilder contained the VBA source code of the malicious macro to be inserted into the targeted documents, and the .NET assembly responsible for finding and compromising existing documents. These macro injection modules can also tamper with Microsoft Office macro security settings.
Gamaredon’s favorite target – Ukrainian Government
Since its inception, the Gamaredon group has been frequently introducing new components to boost its offensive capabilities and has been targeting Ukrainian organizations often for geopolitical gains.
- In February 2020, SentinelLabs found that Gamaredon group improved its toolset and ramped up attacks on Ukrainian military and security institutions like the Hetman Petro Sahaidachnyi National Ground Forces Academy and others.
- In November 2019, Anomali Threat Research (ATR) team discovered that the Gamaredon group targeted various individuals and entities in Ukraine, including diplomats, government officials and employees, journalists, law enforcement, military officials and personnel, NGOs, and the country’s Ministry of Foreign Affairs using weaponized documents as lures.
Users should configure the appropriate security settings to secure systems against malicious macros in Office documents and focus on detection to prevent malicious activity. They should implement proper logging; review logs for suspicious activity; leverage SIEM signatures, and perform endpoint scans for malicious payloads.