Gamaredon is a threat group that has created a new VBA macro to attack Microsoft Outlook users by accessing their contacts. According to researchers, a new version of the Gamaredon post-compromise toolset can create a new type of threat.

Specifically, the threat group has added a new Visual Basic for Applications (VBA) macro to the toolkit. This allows bad actors to enter Microsoft Outlook accounts through spear-phishing campaigns set to user contacts.

Of course, a spear phishing campaign conducted through email is hardly anything new. However, security teams say this method of compromising an inbox is the first public example of an attack that combines Outlook macro with OTM.

If you’re unfamiliar with OTM, it is a file that store macros for Microsoft Outlook.

“In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes,” according to Jean-Ian Boutin, senior malware researcher with ESET, in a Thursday analysis. “The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different malware variants.”

Attack Method

Attackers can target users through emails that have attachments. Like most phishing attacks, this involves a legitimate looking email that tricks users into clicking a link. When an Outlook user is compromised by the attack, the bad actor can send malicious in a 7z self-extracting archive

This malicious cost runs the BVScript that ends the Outlook process and removes security protections from the VBA macro. An infected OTM file is then placed onto the device storage. Attackers can then use this access to send emails to contacts in the victims Outlook.

Like the initial attack, the email sent to other contacts also contains an attachment with malicious code. Because the email comes from a seemingly legitimate contact, the recipient may be more likely to open the link.