Schedule a demo

APT group Gamaredon adopts COVID-19 lures to spread malware

Summary

Gamaredon drops emails with malicious attachments that inject malicious macros codes, evades detection. Some of these emails use COVID-19 lures as well.

The Carrier

  • Trend Micro has identified emails, with subjects such as “Coronavirus (2019-nCoV)“, which contain malicious attachments in docx format.
  • Some of these emails use COVID-19 lures, to capitalize on the Coronavirus panic, which makes people more susceptible to opening such emails and attachments.
  • The malware attachments use the Gamaredon group’s tactics.

The Malware

  • When the docx attachment is opened, a template injection technique loads the document template from the internet.
  • The malicious macro codes, in the downloaded template (in dot format), execute a VBScript (VBS).
  • The downloaded template is different for each download, but the following metadata remains the same:
    • Identification: Word 8.0
    • Language code: Russian
    • System: Windows
    • Author: АДМИН (Administrator)
    • Code page: Windows Cyrillic

The Risk

  • The malware gives hackers access to keystrokes, files, webcam, or to install other malware or ransomware.
  • The obfuscated VBS, generated by the macro, serves as an additional tactic that increases its chances of evading detection.

The Threat Actor

  • Gamaredon is an advanced persistent threat (APT) group that has been active since 2013.
  • The group allegedly had ties to the Ukranian revolution in 2014.
  • The groups campaigns are known for targeting Ukrainian government institutions.
  • The IP addresses for template injection (176[.]119[.]147[.]225) and VBS (176[.]57[.]215[.]115) are from Russian hosting companies.
Gamaredon

Tactics, Methods, and Techniques employed by Gamaredon

Tactics
Method
Technique
Initial Infection
  • Emails, with subjects such as “Coronavirus (2019-nCoV)“, which contain malicious attachments in docx format.
 https://attack.mitre.org/techniques/T1193/
Execution
  • When the docx attachment is opened, a template injection technique loads the document template from the internet.
  • The downloaded template is different for each download, but the metadata remains the same.
 https://attack.mitre.org/techniques/T1204/  https://attack.mitre.org/techniques/T1221/
Defence Evasion
  • The malicious macro codes, in the downloaded template (in dot format), execute a VBScript (VBS).
  • It drops “%USERPROFILE%\Documents\MediaPlayer\PlayList.vbs,” which is hardcoded in the macro.
  • It is then executed in “wscript.exe //b %USERPROFILE%\Documents\MediaPlayer\PlayList.vbs,” which contains the obfuscated codes that it executes after decrypting the obfuscations.
  • If the downloaded file size of “%APPDATA%\Microsoft\Windows\Cookies.exe” exceeds 4,485 bytes, it is executed.
  • “%APPDATA%\Microsoft\Windows\Cookies.txt” and “%APPDATA%\Microsoft\Windows\Cookies.exe” are deleted.
 https://attack.mitre.org/techniques/T1064/  https://attack.mitre.org/techniques/T1140/ https://attack.mitre.org/techniques/T1107/
Persistence
  • Register the RUN key in the registry, so that the VBS file is executed every time the machine starts Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\MediaPlayer wscript.exe //b %USERPROFILE%\Documents\MediaPlayer\PlayList.vbs
 https://attack.mitre.org/techniques/T1060/
C&C and System Discovery
  • The malware contacts the command and control server and connects with “hxxp:// kristom[.]hopto[.]org /{computer name}_{hexadecimal volume serious number}/help_05_03[.]php”
  • XOR is used for the file saved from the 2nd step, where ASCII code, converted from its hexadecimal volume serial number, is used as the key and the decrypted result is saved as “%APPDATA%\Microsoft\Windows\Cookies.exe”
 https://attack.mitre.org/techniques/T1071/  https://attack.mitre.org/techniques/T1082/ https://attack.mitre.org/techniques/T1001/
Lateral Movement
  • If the downloaded file size in the first step exceeds 10,485 bytes, then the file is saved as “%APPDATA%\Microsoft\Windows\Cookies.txt”
 https://attack.mitre.org/techniques/T1105/

Indicators of Compromise

DOCX file
SHA256
Detection Name
0d90fe36866ee30eb5e4fd98583bc2fdb5b7da37e42692f390ac5f807a13f057 W97M_CVE20170199.ZYHC-A
036c2088cb48215f21d4f7d751d750b859d57018c04f6cadd45c0c4fee23a9f8 Trojan.W97M.CVE20170199.PG
19d03a25af5b71e859561ff8ccc0a073acb9c61b987bdb28395339f72baf46b4 Trojan.XML.PHISH.AE
62cf22f840fffd8d8781e52b492b03b4efc835571b48823b07535d52b182e861 W97M_CVE20170199.ZKHC-A
8310d39aa1cdd13ca82c769d61049310f8ddaea7cd2c3b940a8a3c248e5e7b06 Trojan.W97M.CVE20170199.PF
84e0b1d94a43c87de55c000e3acae17f4493a57badda3b27146ad8ed0f90c93e Trojan.W97M.CVE20170199.PG
85267e52016b6124e4e42f8b52e68475174c8a2bdf0bc0b501e058e2d388a819 Trojan.W97M.CVE20170199.PF
b6a94f565d482906be7da4d801153eb4dab46d92f43be3e1d59ddd2c7f328109 Trojan.W97M.CVE20170199.PF
cc775e3cf1a64effa55570715b73413c3ea3a6b47764a998b1272b5be059c25b Trojan.W97M.CVE20170199.PF

DOT file
SHA256
Detection Name
TrendX
00b761bce25594da4c760574d224589daf01086c5637042982767a13a2f61bea Mal_OLEMAL-4 Downloader.VBA.TRX.XXVBAF01FF007
250b09f87fe506fbc6cedf9dbfcb594f7795ed0e02f982b5837334f09e8a184b Mal_OLEMAL-4
4b3ae36b04d6aba70089cb2099e6bc1ba16d16ea24bbf09992f23260151b9faf Mal_OLEMAL-4
946405e2f26e1cc0bd22bc7e12d403da939f02e9c4d8ddd012f049cf4bf1fda9 Mal_OLEMAL-4
9cd5fa89d579a664c28da16064057096a5703773cef0a079f228f21a4b7fd5d2 Mal_OLEMAL-4
c089ccd376c9a4d5e5bdd553181ab4821d2c26fefc299cce7a4f023a660484d5 Mal_OLEMAL-4
e888b5e657b41d45ef0b2ed939e27ff9ea3a11c46946e31372cf26d92361c012 W97M_VBSDOWNLDR.ZKHC-A
f577d2b97963b717981c01b535f257e03688ff4a918aa66352aa9cd31845b67d W97M_VBSDOWNLDR.ZYHC-A

DOT file
SHA256
Detection Name
TrendX
17161e0ab3907f637c2202a384de67fca49171c79b1b24db7c78a4680637e3d5 Trojan.X97M.CVE201711882.THCOCBO Downloader.VBA.TRX.XXVBAF01FF006
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923 TrojanSpy.Win32.FAREIT.UHBAZCLIZ N/A
315e297ac510f3f2a60176f9c12fcf92681bbad758135767ba805cdea830b9ee Trojan.X97M.CVE201711882.THCOCBO Downloader.VBA.TRX.XXVBAF01FF006
3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a Backdoor.Win32.REMCOS.USMANEAGFG Troj.Win32.TRX.XXPE50FFF034
3f40d4a0d0fe1eea58fa1c71308431b5c2ce6e381cacc7291e501f4eed57bfd2 Trojan.MSIL.AGENTTESLA.THCOCBO N/A
ab533d6ca0c2be8860a0f7fbfc7820ffd595edc63e540ff4c5991808da6a257d Trojan.X97M.CVE201711882.THCOCBO N/A
b78a3d21325d3db7470fbf1a6d254e23d349531fca4d7f458b33ca93c91e61cd Backdoor.Win32.REMCOS.USMANEAGFE Troj.Win32.TRX.XXPE50FFF034
c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd TrojanSpy.Win32.FAREIT.UHBAZCLIZ Troj.Win32.TRX.XXPE50FFF034

C & C Addresses
Bambinos[.]bounceme[.]net papir[.]hopto[.]org
bbtt[.]site sabdja[.]3utilities[.]com
bbtt[.]space sakira[.]3utilities[.]com
harpa[.]site seliconos[.]3utilities[.]com
harpa[.]space solod[.]bounceme[.]net
harpa[.]website sonik[.]hopto[.]org
himym[.]site tele[.]3utilities[.]com
kristoffer[.]hopto[.]org violina[.]website
kristom[.]hopto[.]org voyager[.]myftp[.]biz
miragena[.]site voyaget[.]myftp[.]biz
miragena[.]xyz

Table of Contents

Try XVigil for free

Request an easy and customized demo for free

Be informed in your Inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Subscribe now
Join the Discussions
Discuss your way into our Community about these threats and stay Vigilant and informed.
Discuss Now