Recently, the threat actor GADOLINIUM started using cloud services and open source tools to enhance weaponization of their malware payload, in order to attempt to gain command and control all the way to the server, and to obfuscate detection. These attacks were delivered via spear-phishing emails with malicious attachments. GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods. Over the last year, GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track.
In mid-April 2020 GADOLINIUM actors were detected sending spear-phishing emails with malicious attachments. The filenames of these attachments were named to appeal to the target’s interest in the COVID-19 pandemic. The PowerPoint file (20200423-sitrep-92-covid-19.ppt), when run, would drop a file, doc1.dotm. GADOLINIUM campaigns often involve installing web shells on legitimate web sites for command and control or traffic redirection. Moreover, during April 2020, the Microsoft Identity Security team suspended 18 Azure Active Directory applications that were determined to be part of GADOLINIUM’s PowerShell Empire infrastructure.