Active since 2013, Gamaredon is a notorious advanced persistent threat (APT) group that predominantly targets Ukrainian institutions. In recent months, researchers have noted an increase in activity from the group.
The group has developed two tools, the first using the victim’s email account to send phishing emails to contacts. These emails contain a Microsoft Office document that include malicious macros and references that download different malware variants.
Gamaredon group targets Outlook in unusual way: ESET
According to ESET researchers, using Outlook macros in this way is rarely seen, but for attackers, it is a very effective way of moving through an organisations’ network as documents are commonly shared between colleagues with a high level of trust.
“While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it,” said Jean-Ian Boutin, head of threat research at ESET.
“We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns.”
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
Furthermore, the fact that the tool tampers with Microsoft Office’s security settings means users are unaware that they have been compromised when they open documents.
Gamaredon group can then use this to access sensitive documents, with researchers identifying that the group “makes little or no effort to stay under the radar”.
“In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes,” added Boutin.
“The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different types of malware.”