• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-8019 – SuSE Linux Enterprise Debuginfo Symlink privilege escalation vulnerability
June 30, 2020
Rewterz Threat Alert – Phishing Emails Containing Calendar Invitations
July 1, 2020

Rewterz Threat Alert – Gamaredon Hackers Use Outlook Macros to Spread Malware

July 1, 2020

Severity

Medium

Analysis Summary

New tools attributed to the Russia-linked Gamaredon hacker group include a module for Microsoft Outlook that creates custom emails with malicious documents and sends them to a victim’s contacts. The threat actor disables protections for running macro scripts in Outlook and to plant the source file for the spearphishing attacks that spread malware to other victims. 
 

Gamaredon-OutlookVBAEmail-ESET.png


Gamaredon has multiple variants for CodeBuilder, the module for injecting malicious macros or remote templates in documents available on the infected host.

This method is efficient because documents are often shared within the organization and it also achieves persistence since the files are likely to be opened multiple times. Attackers can fetch and execute a malware, enumerate documents and upload them to the command and control (C&C) server, download and execute other code from the C&C and scan system for Word documents and store their names in a text file.

Impact

  • Data exfiltration
  • Remote command execution
  • Information Theft

Indicators of Compromise

Email Subject

New contact email

MD5

c09794ddb7f5ce5f88304843687fd55c

SHA-256

ee29eb3980dff9034b1c539a799cedc1428224855e6d515d81da226448b81521

SHA1

6f75f2490186225c922fe605953038bdeb537fee

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download unexpected email attachments without verification. 
  • Keep protections for running macro scripts in Outlook enabled. 
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.