New tools attributed to the Russia-linked Gamaredon hacker group include a module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim’s contacts. The threat actor disables protections for running macro scripts in Outlook and to plant the source file for the spearphishing attacks that spread malware to other victims.
Gamaredon has multiple variants for CodeBuilder, the module for injecting malicious macros or remote templates in documents available on the infected host.
This method is efficient because documents are often shared within the organization and it also achieves persistence since the files are likely to be opened multiple times. Attackers can fetch and execute a malware, enumerate documents and upload them to the command and control (C&C) server, download and execute other code from the C&C and scan system for Word documents and store their names in a text file.
New contact email