Quote:The Gamaredon threat group has given its post-compromise toolset a facelift with the addition of a new Visual Basic for Applications (VBA) macro. The VBA macro leverages compromised victims’ Microsoft Outlook email accounts to send spear-phishing emails to their contacts – rapidly widening the potential attack surface.
Researchers say, while abusing a compromised mailbox to send malicious emails is not a new technique, this is the first publicly documented case of an attack group using both an Outlook macro and an OTM file to do so. An OTM file stores macros that are written for Microsoft Outlook.
“In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes,” according to Jean-Ian Boutin, senior malware researcher with ESET, in a Thursday analysis. “The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different malware variants.”
After the victim is initially compromised (typically via a spear-phishing email with a malicious attachment), malicious code is first delivered in a 7z self-extracting archive. 7z are compressed archive files created with 7-Zip open source software. The code runs a VBScript that first kills the victim’s Outlook process (if it is running), and then removes any security protections around VBA macro execution in Outlook by changing registry values.
Read more: https://threatpost.com/microsoft-outlook...ro/156484/
![[-]](https://www.geeks.fyi/images/collapse.png)
