Active APT group adds cunning remote template injectors for Word and Excel documents; unique Outlook mass-mailing macro
ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns. One tool, a VBA macro targeting Microsoft Outlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office address book. We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents.
Tools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL/Pterodo, Win32/Pterodo or Win64/Pterodo by ESET’s products.
The Gamaredon group has been active since at least 2013. It has been responsible for a number of attacks, mostly against Ukrainian institutions, as evidenced in several reports from CERT-UA and from other official Ukrainian bodies over time.
In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes. The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different malware variants.
Gamaredon has leveraged many different programming languages in the past few months, ranging from C# to VBScript, batch files and C/C++. The tools used by Gamaredon are very simple and are designed to gather sensitive information from compromised systems and to spread further.
Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. Even though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it seems that this group’s main focus is to spread as far and fast as possible in their target’s network while trying to exfiltrate data. Could we be missing something?
Figure 1 illustrates a typical compromise chain in a Gamaredon campaign.
Figure 1. Typical Gamaredon compromise chain
While most of the recent publications have focused on the spearphishing emails together with the downloaders they contain, this blogpost focuses on the post-compromise tools deployed on these systems.
The Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project. Using Outlook macros to deliver malware is something we rarely see while investigating malicious campaigns.
This bundle of malicious code starts out with a VBScript that first kills the Outlook process if it is running, and then removes security around VBA macro execution in Outlook by changing registry values. It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to.
Next, it relaunches Outlook with a special option, /altvba <OTM filename>, which loads the Gamaredon VBA project. The malicious code is executed once the Application.Startup event is received. They have been using this module in three different ways to send malicious email to:
While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it.
Figure 2. Outlook VBA script creating the malicious email
Based on the “send to all in contact list” behavior of this malicious VBA code, we believe that this module might have led some organizations to think they were targeted by Gamaredon when they were merely collateral damage. For example, recent samples uploaded to VirusTotal coming from regions that are not traditionally targeted by Gamaredon, such as Japan, could be explained by the actions of this module.
As seen in Figure 2, the VBA code builds the email body and attaches the malicious document to the email. We’ve seen both .docx and .lnk files being used as attachments. These are very similar to the content of the malicious attachments used in Gamaredon’s initial spearphishing campaigns. Figure 3 shows an email generated by this malicious component.
Figure 3. Email generated by the Outlook VBA module with a Word document attachment that contains a remote template
The email contains both English and Russian text. However, as illustrated in Figure 3, there is a problem with the Russian encoding. This was fixed in a later version of this module — another example of the Gamaredon group’s fast development pace and apparent lack of attention to detail.
We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. This is a very efficient way of moving laterally within an organization’s network as documents are routinely shared amongst colleagues. Also, as these macros are run when opening the documents, it is a good way to persist on a system as some of these documents are likely to be opened multiple times and at different times.
These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings. Thus, affected users have no idea that they are again compromising their workstations whenever they open the documents. We have seen this module implemented in two different languages: C# and VBScript.
This module was delivered, like many other tools, in a 7z self-extracting archive. Inside, there was a password-protected RAR archive containing a few files. Notably, there were two text files, one for Word and one for Excel, containing the VBA source code of the malicious macro to be inserted into the targeted documents, and the .NET assembly responsible for finding and compromising existing documents. As illustrated in Figure 4, the assembly name is CodeBuilder.
Figure 4. CodeBuilder functions in a version that is not obfuscated
This .NET module first reduces Office macro security settings for various document types by modifying the following registry values:
It iterates over all possible Office <version> values for both Word and Excel <product> values. It then scans for documents with valid Word or Excel file extensions on all drives connected to the system. For the drive containing the Windows installation, it scans only specific locations, namely the Desktop and Downloads folders. For the others, it scans the entire drive. The malware moves each located document into the AppData folder, inserts malicious Word or Excel macros into it using a Microsoft.Office.Interop object, and then moves the document back into its original folder. In the samples we analyzed, the injected macros were simple downloaders.
The VBScript version of this module is similar in behavior to the .NET one. The main difference is that instead of inserting a malicious macro into existing documents, it inserts references to a remote template into them.
Figure 5. VBScript using the Document.AttachedTemplate property to inject a reference to a remote template into existing documents
This VBScript module also comes packaged in a self-extracting archive, containing one batch file and two VBS files responsible for iterating through documents and adding the remote template references to them.
Interestingly, some of the custom tools described in Palo Alto Networks’ 2017 blogpost on Gamaredon are still being updated and in use today. Some show significant similarities while others are rewrites in different coding languages. The most prevalent tools downloaded and installed on compromised machines can be broadly grouped into two different categories: downloaders and backdoors.
There are many variations of their downloaders, most of them written in either C# or VBScript. This section will cover only two of their most original variants; the others have not evolved that much and are very simple.
This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. It contains in its body the base64-encoded source code of a downloader. It decodes that source code and compiles it directly on the system using the built-in Microsoft.CSharp.CSharpCodeProvider class. It places the resulting executable in an existing directory and creates a scheduled task that will launch it every 10 minutes. As can be seen in Figure 6, the decoded source code still has comments in it, illustrating the apparent sloppiness of Gamaredon’s operators.
Figure 6. Part of the C# downloader source code included in the C# compiler module
As seen in Figure 7, this .NET executable uses a GitHub repository to obtain and execute a downloader. This repository is now gone, but we were able to download a copy of it while it was still available.
Figure 7. .NET module responsible for downloading and executing a payload stored on github.com
The repository contained a single file — readme.txt — that was a base64-encoded .NET downloader executable. The role of the GitHub project module is to download this file, decode it and execute it.
While some variations exist in functionalities, the main purpose of these modules is to enumerate all documents on a compromised system and upload them to the C&C server. These file stealers can also download and execute arbitrary code from the C&C server. As with many other tools used by the Gamaredon group, they come in four different coding languages: C/C++, C#, batch file and VBScript.
This variant is the successor of the USBStealer module described here. Although the latest versions are now quite different, examining samples of this module throughout its development clearly shows it originates from the same source code.
One sample that illustrates this shift well is a 64-bit DLL with internal name Harvesterx64.dll, compiled in June 2019. It still has most of the strings used in the older variants, but also exhibits two improvements that are still in the newer ones. First, it now resolves Windows APIs via name hashing and second, it uses a basic text file instead of a SQLite database to track which files were already uploaded to the C&C server.
The behavior of this module is quite straightforward: it scans the system for new Microsoft Office documents, both on local and removable drives, and uploads them to the C&C server. To know whether the document is new, the module keeps, in a text file, one MD5 hash per file uploaded to the server. These MD5 hashes are not based on the file content, but rather on a string composed of the file name, its size and its last modified time. The module’s strings are stored in its .data section, encrypted with a simple XOR key. It also has the ability to download and execute arbitrary code from its C&C server.
This is a reimplementation in C# of the C/C++ version. The major difference is that it also takes screenshots of the compromised computer every minute. As seen in Figure 8, the version we analyzed has five different threads with evocative names.
Figure 8. C# backdoor thread creation routine
This version comprises several scripts, written in both batch file form and VBScript. The ultimate goal is the same, though: scanning the system for sensitive documents. The main mechanism is a batch file that searches for Word documents (*.doc*) on the system and stores their names in a text file (see Figure 9).
Figure 9.Example inject.txt file containing the result of the backdoor’s document file scan
The package also contains encrypted script files named 1.log, 2.log, 3.log, 4.log and 5.log. Once decrypted, these scripts are obfuscated VBScript downloaders that are able to download and execute arbitrary code.
The Gamaredon group uses many different domains, both free and paid, for its C&C servers. Free domains are mostly DDNS from No-IP: hopto.org, ddns.net, myftp.biz, while paid domains are registered through the REG.RU registrar and include the .fun, .site, .space, .ru, .website and .xyz TLDs.
They are constantly changing the domains used by their tools, but mostly on a small number of ASNs. Careful analysis suggests they use separate domains for small groups of victims. Please check ESET’s GitHub account for an extensive list of domains used by the Gamaredon group.
We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. We noticed several mistakes in these, especially in scripts. It is of course impossible to know the exact reason behind these bugs or oversights, but the volume of samples the group produces and their rapid development could explain it. The fact that there were comments left in the source code included in some C# compiler module samples or that the Russian encoding was wrong in email generated by the Outlook VBA module shows that there is no stringent review or testing before releasing their many tools and using them in the wild.
However, while these errors might lower their tools’ overall effectiveness, this group’s rapid execution and adaptation also has some advantages. The volume and relentlessness of the attacks can create a state of constant dread in their targets. And although the code is very simple, some techniques, such as script obfuscation, make it hard to fully automate the analysis, making the analyst’s job tedious.
Their GitHub project allowed us a glimpse into the rapid development of their tools. The code that was committed there clearly showed the evolution of the C# downloader. The first versions showed no signs of obfuscation; then the developers added different string obfuscations and junk code to make the analysis harder.
In terms of persistence, several different techniques are used, but the most common ones are scheduled tasks, autorun registry keys and leveraging the Startup folder. Although these techniques are very simple and have been known for a long time, the Gamaredon group’s strategy of trying to install multiple scripts and executables on each system, and constantly updating them, significantly complicates the defender’s lives.
Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module. However, as it is far from stealthy, in the long run it is no match for a capable organization. The variety of tools Gamaredon has at its disposal can be very effective at fingerprinting a machine and understanding what sensitive data is available, then spreading throughout the network. Could this just be a way to deploy a much stealthier payload?
Special thanks to ESET Senior Malware Researcher Anton Cherepanov for his help in this research.