June 11, 2020

Gamaredon group hackers target Microsoft Outlook and Office

By Ellen Daniel

Researchers at antivirus company ESET have discovered hacker group Gamaredon has developed new tools to target Microsoft Outlook and Office.

Active since 2013, Gamaredon is a notorious advanced persistent threat (APT) group that predominantly targets Ukrainian institutions. In recent months, researchers have noted an increase in activity from the group.

The group has developed two tools, the first using the victim’s email account to send phishing emails to contacts. These emails contain a Microsoft Office document that include malicious macros and references that download different malware variants.

Gamaredon group targets Outlook in unusual way: ESET

According to ESET researchers, using Outlook macros in this way is rarely seen, but for attackers, it is a very effective way of moving through an organisations’ network as documents are commonly shared between colleagues with a high level of trust.

“While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it,” said Jean-Ian Boutin, head of threat research at ESET.

“We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns.”

Furthermore, the fact that the tool tampers with Microsoft Office’s security settings means users are unaware that they have been compromised when they open documents.

Gamaredon group can then use this to access sensitive documents, with researchers identifying that the group “makes little or no effort to stay under the radar”.

“In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes,” added Boutin.

“The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different types of malware.”


Read more: Furloughed workers face heightened phishing threat from email backlogs.