APT group Gamaredon adopts COVID-19 lures to spread malware

Gamaredon drops emails with malicious attachments that inject malicious macros codes, evades detection. Some of these emails use COVID-19 lures as well.

Share this Intel:

Gamaredon

Tactics
Method
Technique
Initial Infection
  • Emails, with subjects such as “Coronavirus (2019-nCoV)“, which contain malicious attachments in docx format. 
https://attack.mitre.org/techniques/T1193/
Execution
  • When the docx attachment is opened, a template injection technique loads the document template from the internet. 
  • The downloaded template is different for each download, but the metadata remains the same.
https://attack.mitre.org/techniques/T1204/

https://attack.mitre.org/techniques/T1221/

Defence Evasion
  • The malicious macro codes, in the downloaded template (in dot format), execute a VBScript (VBS). 
  • It drops “%USERPROFILE%\Documents\MediaPlayer\PlayList.vbs,” which is hardcoded in the macro.
  • It is then executed in “wscript.exe //b %USERPROFILE%\Documents\MediaPlayer\PlayList.vbs,” which contains the obfuscated codes that it executes after decrypting the obfuscations.
  • If the downloaded file size of “%APPDATA%\Microsoft\Windows\Cookies.exe” exceeds 4,485 bytes, it is executed. 
  • “%APPDATA%\Microsoft\Windows\Cookies.txt” and “%APPDATA%\Microsoft\Windows\Cookies.exe” are deleted.
https://attack.mitre.org/techniques/T1064/


https://attack.mitre.org/techniques/T1140/

https://attack.mitre.org/techniques/T1107/

Persistence
  • Register the RUN key in the registry, so that the VBS file is executed every time the machine starts Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\MediaPlayer wscript.exe //b %USERPROFILE%\Documents\MediaPlayer\PlayList.vbs
https://attack.mitre.org/techniques/T1060/
C&C and System Discovery
  • The malware contacts the command and control server and connects with “hxxp:// kristom[.]hopto[.]org /{computer name}_{hexadecimal volume serious number}/help_05_03[.]php”
  • XOR is used for the file saved from the 2nd step, where ASCII code, converted from its hexadecimal volume serial number, is used as the key and the decrypted result is saved as “%APPDATA%\Microsoft\Windows\Cookies.exe”
https://attack.mitre.org/techniques/T1071/


https://attack.mitre.org/techniques/T1082/

https://attack.mitre.org/techniques/T1001/

Lateral Movement
  • If the downloaded file size in the first step exceeds 10,485 bytes, then the file is saved as “%APPDATA%\Microsoft\Windows\Cookies.txt”
https://attack.mitre.org/techniques/T1105/

Be informed about these Threats in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about these threats first in your inbox.