Russia-linked Gamaredon hacker crew using Microsoft's Visual Basic for Applications to pwn Microsoft's Outlook
From targeting Ukraine to random mailboxes: how the mighty have fallen
Security researchers claim to have uncovered "several previously undocumented post-compromise tools" used by a Russia-linked APT to target Microsoft Office and Outlook through Visual Basic for Applications.
In a statement about its findings, Slovakian infosec biz ESET said the tools "inject malicious macros or references to remote templates into existing documents on the attacked system, which is a very efficient way of moving within an organization's network, as documents are routinely shared amongst colleagues."
The Gamaredon hacking crew is said to be targeting Outlook through Visual Basic for Applications (VBA), allowing attackers to access the target account's contact book so they can forward phishing emails to a new batch of potential victims.
"While abusing a compromised mailbox to send malicious emails without the victim's consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it," said researcher Jean-Ian Boutin. "We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns."
To compromise Outlook, the malware runs a Visual Basic script that kills the Outlook system process before changing Windows registry values to strip away security settings preventing VBA macro execution, said ESET. It then fires up Outlook and loads its malicious VBA project.
Gamaredon has been an active APT crew since 2013, initially known for targeting Ukrainian government institutions. More recently it has been caught jumping aboard the COVID-19 pandemic to spread its malware, as Trend Micro said in April.
Ukrainian security forces have previously attributed Gamaredon's activities to the 16th and 18th divisions of Russia's FSB spy agency, under a previous Western name of Operation Armageddon. The NATO Association of Canada, in a paper examining Russian disinformation and disruption operations in Ukraine, reaffirmed that link earlier this year.
VBA has thrown up the odd surprise over the years, malware aside. Back in 2016 an evidently bored chap created an Excel-based peer-to-peer instant messaging project using VBA. ®