Security News > 2020 > June > Russia-linked Gamaredon hacker crew using Microsoft's Visual Basic for Applications to pwn Microsoft's Outlook
Security researchers claim to have uncovered "Several previously undocumented post-compromise tools" used by a Russia-linked APT to target Microsoft Office and Outlook through Visual Basic for Applications.
The Gamaredon hacking crew is said to be targeting Outlook through Visual Basic for Applications, allowing attackers to access the target account's contact book so they can forward phishing emails to a new batch of potential victims.
"While abusing a compromised mailbox to send malicious emails without the victim's consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it," said researcher Jean-Ian Boutin.
To compromise Outlook, the malware runs a Visual Basic script that kills the Outlook system process before changing Windows registry values to strip away security settings preventing VBA macro execution, said ESET. It then fires up Outlook and loads its malicious VBA project.
Gamaredon has been an active APT crew since 2013, initially known for targeting Ukrainian government institutions.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/06/11/eset_gamaredon_outlook/
Related news
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- Microsoft: Russian-Linked Hackers Using 'Device Code Phishing' to Hijack Accounts (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese hackers abuse Microsoft APP-v tool to evade antivirus (source)
- Microsoft fixes Outlook drag-and-drop broken by Windows updates (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- Microsoft says button to restore classic Outlook is broken (source)
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft fixes button that restores classic Outlook client (source)