Russia-linked Gamaredon hacker crew using Microsoft's Visual Basic for Applications to pwn Microsoft's Outlook

2020-06-11 16:30

Security researchers claim to have uncovered "Several previously undocumented post-compromise tools" used by a Russia-linked APT to target Microsoft Office and Outlook through Visual Basic for Applications.

The Gamaredon hacking crew is said to be targeting Outlook through Visual Basic for Applications, allowing attackers to access the target account's contact book so they can forward phishing emails to a new batch of potential victims.

"While abusing a compromised mailbox to send malicious emails without the victim's consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it," said researcher Jean-Ian Boutin.

To compromise Outlook, the malware runs a Visual Basic script that kills the Outlook system process before changing Windows registry values to strip away security settings preventing VBA macro execution, said ESET. It then fires up Outlook and loads its malicious VBA project.

Gamaredon has been an active APT crew since 2013, initially known for targeting Ukrainian government institutions.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/06/11/eset_gamaredon_outlook/

#hacker #microsoft #outlook #russia

News URL

Related news