The Carrier
- Trend Micro has identified emails, with subjects such as “Coronavirus (2019-nCoV)“, which contain malicious attachments in docx format.
- Some of these emails use COVID-19 lures, to capitalize on the Coronavirus panic, which makes people more susceptible to opening such emails and attachments.
- The malware attachments use the Gamaredon group’s tactics.
The Malware
- When the docx attachment is opened, a template injection technique loads the document template from the internet.
- The malicious macro codes, in the downloaded template (in dot format), execute a VBScript (VBS).
- The downloaded template is different for each download, but the following metadata remains the same:
- Identification: Word 8.0
- Language code: Russian
- System: Windows
- Author: АДМИН (Administrator)
- Code page: Windows Cyrillic
The Risk
- The malware gives hackers access to keystrokes, files, webcam, or to install other malware or ransomware.
- The obfuscated VBS, generated by the macro, serves as an additional tactic that increases its chances of evading detection.
The Threat Actor
- Gamaredon is an advanced persistent threat (APT) group that has been active since 2013.
- The group allegedly had ties to the Ukranian revolution in 2014.
- The groups campaigns are known for targeting Ukrainian government institutions.
- The IP addresses for template injection (176[.]119[.]147[.]225) and VBS (176[.]57[.]215[.]115) are from Russian hosting companies.
Tactics, Methods, and Techniques employed by Gamaredon
Tactics |
Method |
Technique |
Initial Infection |
|
https://attack.mitre.org/techniques/T1193/ |
Execution |
|
https://attack.mitre.org/techniques/T1204/ https://attack.mitre.org/techniques/T1221/ |
Defence Evasion |
|
https://attack.mitre.org/techniques/T1064/ https://attack.mitre.org/techniques/T1140/ https://attack.mitre.org/techniques/T1107/ |
Persistence |
|
https://attack.mitre.org/techniques/T1060/ |
C&C and System Discovery |
|
https://attack.mitre.org/techniques/T1071/ https://attack.mitre.org/techniques/T1082/ https://attack.mitre.org/techniques/T1001/ |
Lateral Movement |
|
https://attack.mitre.org/techniques/T1105/ |
Indicators of Compromise
DOCX file |
|
SHA256 |
Detection Name |
0d90fe36866ee30eb5e4fd98583bc2fdb5b7da37e42692f390ac5f807a13f057 | W97M_CVE20170199.ZYHC-A |
036c2088cb48215f21d4f7d751d750b859d57018c04f6cadd45c0c4fee23a9f8 | Trojan.W97M.CVE20170199.PG |
19d03a25af5b71e859561ff8ccc0a073acb9c61b987bdb28395339f72baf46b4 | Trojan.XML.PHISH.AE |
62cf22f840fffd8d8781e52b492b03b4efc835571b48823b07535d52b182e861 | W97M_CVE20170199.ZKHC-A |
8310d39aa1cdd13ca82c769d61049310f8ddaea7cd2c3b940a8a3c248e5e7b06 | Trojan.W97M.CVE20170199.PF |
84e0b1d94a43c87de55c000e3acae17f4493a57badda3b27146ad8ed0f90c93e | Trojan.W97M.CVE20170199.PG |
85267e52016b6124e4e42f8b52e68475174c8a2bdf0bc0b501e058e2d388a819 | Trojan.W97M.CVE20170199.PF |
b6a94f565d482906be7da4d801153eb4dab46d92f43be3e1d59ddd2c7f328109 | Trojan.W97M.CVE20170199.PF |
cc775e3cf1a64effa55570715b73413c3ea3a6b47764a998b1272b5be059c25b | Trojan.W97M.CVE20170199.PF |
DOT file |
||
SHA256 |
Detection Name |
TrendX |
00b761bce25594da4c760574d224589daf01086c5637042982767a13a2f61bea | Mal_OLEMAL-4 | Downloader.VBA.TRX.XXVBAF01FF007 |
250b09f87fe506fbc6cedf9dbfcb594f7795ed0e02f982b5837334f09e8a184b | Mal_OLEMAL-4 | |
4b3ae36b04d6aba70089cb2099e6bc1ba16d16ea24bbf09992f23260151b9faf | Mal_OLEMAL-4 | |
946405e2f26e1cc0bd22bc7e12d403da939f02e9c4d8ddd012f049cf4bf1fda9 | Mal_OLEMAL-4 | |
9cd5fa89d579a664c28da16064057096a5703773cef0a079f228f21a4b7fd5d2 | Mal_OLEMAL-4 | |
c089ccd376c9a4d5e5bdd553181ab4821d2c26fefc299cce7a4f023a660484d5 | Mal_OLEMAL-4 | |
e888b5e657b41d45ef0b2ed939e27ff9ea3a11c46946e31372cf26d92361c012 | W97M_VBSDOWNLDR.ZKHC-A | |
f577d2b97963b717981c01b535f257e03688ff4a918aa66352aa9cd31845b67d | W97M_VBSDOWNLDR.ZYHC-A |
DOT file |
||
SHA256 |
Detection Name |
TrendX |
17161e0ab3907f637c2202a384de67fca49171c79b1b24db7c78a4680637e3d5 | Trojan.X97M.CVE201711882.THCOCBO | Downloader.VBA.TRX.XXVBAF01FF006 |
29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923 | TrojanSpy.Win32.FAREIT.UHBAZCLIZ | N/A |
315e297ac510f3f2a60176f9c12fcf92681bbad758135767ba805cdea830b9ee | Trojan.X97M.CVE201711882.THCOCBO | Downloader.VBA.TRX.XXVBAF01FF006 |
3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a | Backdoor.Win32.REMCOS.USMANEAGFG | Troj.Win32.TRX.XXPE50FFF034 |
3f40d4a0d0fe1eea58fa1c71308431b5c2ce6e381cacc7291e501f4eed57bfd2 | Trojan.MSIL.AGENTTESLA.THCOCBO | N/A |
ab533d6ca0c2be8860a0f7fbfc7820ffd595edc63e540ff4c5991808da6a257d | Trojan.X97M.CVE201711882.THCOCBO | N/A |
b78a3d21325d3db7470fbf1a6d254e23d349531fca4d7f458b33ca93c91e61cd | Backdoor.Win32.REMCOS.USMANEAGFE | Troj.Win32.TRX.XXPE50FFF034 |
c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd | TrojanSpy.Win32.FAREIT.UHBAZCLIZ | Troj.Win32.TRX.XXPE50FFF034 |
C & C Addresses |
|
Bambinos[.]bounceme[.]net | papir[.]hopto[.]org |
bbtt[.]site | sabdja[.]3utilities[.]com |
bbtt[.]space | sakira[.]3utilities[.]com |
harpa[.]site | seliconos[.]3utilities[.]com |
harpa[.]space | solod[.]bounceme[.]net |
harpa[.]website | sonik[.]hopto[.]org |
himym[.]site | tele[.]3utilities[.]com |
kristoffer[.]hopto[.]org | violina[.]website |
kristom[.]hopto[.]org | voyager[.]myftp[.]biz |
miragena[.]site | voyaget[.]myftp[.]biz |
miragena[.]xyz |