VBA macro, remote template injectors included in Gamaredon post-compromise tool kit

The Gamaredon threat group has built a post-compromise tool arsenal that includes remote template injectors for Word and Excel documents as well as a unique Outlook mass-mailing macro, researchers recently discovered.

The tools, previously undocumented, boast a VBA macro aimed at Outlook that sends spearphishing emails to a victim’s Microsoft address book contacts, according to ESET researchers. Noting that the Gamaredon-linked tools were “detected as variants of MSIL/Pterodo, Win32/Pterodo or Win64/Pterodo,” ESET said in a blog post that the threat group, known for attacks mostly against Ukrainian organizations, has upped its activities “with constant waves of malicious emails hitting their targets’ mailboxes.”

The VBA employs a bundle of malicious code starting with a VBScript that kills the Outlook process then changes registry values to remove security around VBA macro execution in Outlook. The malicious OTM file containing a macro, the malicious email attachment and, sometimes, a list of recipients for the email are saved to disk. Once Outlook is relaunched with a special option that loads the Gamaredon VBA project, and after the Application.Startup event is received, malicious code is executed, sending malicious email to either everyone in a victim’s address book or within an organization or to predefined targets.

“While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it,” the researchers wrote.

ESET also looked into the malicious modules that Gamaredon uses to inject malicious macros or remote templates into documents that are already on compromised systems, an efficient way to move laterally within a network that capitalizes on the tendency of colleagues to share documents, the researchers explained.

Since the macros run when a document is opens – and documents are typically opened multiple times – it “is a good way to persist on a system,” they wrote.

“These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings,” they said, so “affected users have no idea that they are again compromising their workstations whenever they open the documents.”

ESET observed the module implemented in two languages: C# and VBScript.

While Gamaredon uses fairly simple tools, some, including the Outlook VBA module, prove the group can deploy novelty. “The variety of tools Gamaredon has at its disposal can be very effective at fingerprinting a machine and understanding what sensitive data is available, then spreading throughout the network,” the ESET researchers wrote, positing that could “be a way to deploy a much stealthier payload.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.