[About TrendLabs Security Intelligence Blog](https://blog.trendmicro.com/trendlabs-security-intelligence/about-us/) Search: Go to… [Home](http://blog.trendmicro.com/trendlabs-security-intelligence/) Categories [Home » Malware » Gamaredon APT Group Use Covid-19 Lure in Campaigns](https://blog.trendmicro.com/trendlabs-security-intelligence/) # Gamaredon APT Group Use Covid-19 Lure in Campaigns [Posted on:April 17, 2020 at 5:12 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2020/04/) [Posted in:Malware, Spam, Targeted Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) Author: [Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/) [0](https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/#respond) **By Hiroyuki Kakara and Erina Maruyama** Gamaredon is an advanced persistent threat (APT) group that has been active since 2013. Their campaigns are generally known for targeting Ukrainian government institutions. From late 2019 to February of this year, researchers published several reports on Gamaredon, tracking the group’s activities. In March, we came across an email with a malware attachment that used the Gamaredon group’s tactics. Some of the emails used the coronavirus pandemic as a topic to lure victims into opening emails and attachments. These campaigns targeted victims in European countries and others. ### A brief history of Gamaredon In 2015, researchers from LookingGlass published the first [report on Gamaredon. According to that report, the early campaigns used Microsoft Word documents that,](https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf) when inspected, showed that its most recent user went by the name of Armagedon (a misspelled “Armageddon”), which became the basis of the group’s namesake. The report also described Gamaredon’s political beginnings, particularly its ties to the Ukrainian revolution in 2014. Before the revolution they had targeted Ukrainian government officials, opposition party members, and journalists. They moved on to Ukrainian government institutions after the revolution. In 2018, CERT[UA published an advisory against the malware Pterodo, which the group allegedly used.](https://cert.gov.ua/news/46) The group remained active, with several Gamaredon-related activities reported in February 2020. In March, they were [among the threat groups that were identified](https://www.csoonline.com/article/3532825/6-ways-attackers-are-exploiting-the-covid-19-crisis.html) taking advantage of the coronavirus pandemic to trick targets. ### Gamaredon and Covid-19-related cover emails ----- The case we found arrived through a targeted email that contained a document file (in docx format). Opening document starts a template injection technique for loading the document template from the internet. The downloaded document template contains the malicious macro codes, which executes a VBScript (VBS). We found a mechanism for decrypting, executing, and downloading an additional payload from the C&C server. During the time of the analysis however, the C&C server was not accessible, which made us unable to get additional payloads. The attacks we found all arrived through targeted emails (MITRE ATT&CK framework ID [T1193). One of them even had the subject “Coronavirus (2019-nCoV).”](https://attack.mitre.org/techniques/T1193/) The use of socially relevant topics is a common practice for attackers who wish to make their emails and documents more tempting to open. The email that used the coronavirus-related subject came with an attached document file. Opening this file (MITRE ATT&CK framework ID [T1204) executes the template injection method](https://attack.mitre.org/techniques/T1204/) [(MITRE ATT&CK framework ID T1221).](https://attack.mitre.org/techniques/T1221/) Figure 2. Code for downloading the document template with the malicious macro The downloaded document template (in dot format) could differ slightly depending on each download. However, its Exif info or metadata remains consistent and shares the following details: Identification: Word 8.0 Language code: Russian System: Windows Author: АДМИН (“Administrator” in Russian) Code page: Windows Cyrillic Figure 3. A sample of malicious macro in the downloaded template document As mentioned, the template contains malicious macro (MITRE ATT&CK framework ID [T1064), which exports VBS (MITRE ATT&CK framework ID](https://attack.mitre.org/techniques/T1064/) [T1064) to](https://attack.mitre.org/techniques/T1064/) execute itself. More specifically it drops “%USERPROFILE%\Documents\MediaPlayer\PlayList.vbs,” which is hardcoded in the macro, and then executed in “wscript.exe //b %USERPROFILE%\Documents\MediaPlayer\PlayList.vbs.” Figure 4. A content sample for VBS dropped by malicious macro PlayList.vbs contains the obfuscated codes (MITRE ATT&CK framework ID [T1140), which it executes after decrypting the obfuscations. This particular behavior is](https://attack.mitre.org/techniques/T1140/) a slight departure from previously reported attacks by Gamaredon, which did not use this technique. ----- Figure 5. A sample of executed VBS Figure 5 shows a snippet of the VBS executed by the Execute function. The routines it follows are enumerated below. 1. Register the RUN key in the registry below, so that the VBS file is executed every time the machine starts (MITRE ATT&CK framework ID T1060) Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\MediaPlayer wscript.exe //b %USERPROFILE%\Documents\MediaPlayer\PlayList.vbs 2. Connect with “hxxp:// kristom[.]hopto[.]org /{computer name}_{hexadecimal volume serious number}/help_05_03[.]php” (MITRE ATT&CK framework IDs [T1043, T1071, T1082)](https://attack.mitre.org/techniques/T1043/) 3. If the downloaded file size in the first step exceeds 10,485 bytes, then the file is saved as “%APPDATA%\\Microsoft\Windows\Cookies.txt” (MITRE ATT&CK framework ID [T1105)](https://attack.mitre.org/techniques/T1105/) 4. Use XOR for the file saved from the second step, where ASCII code converted from its own hexadecimal volume serial number is used as the key. The [decrypted result is saved as “%APPDATA%\\Microsoft\Windows\Cookies.exe” (T1001)](https://attack.mitre.org/techniques/T1001/) 5. If the file size of “%APPDATA%\\Microsoft\Windows\Cookies.exe” exceeds 4,485 bytes, it is executed. 6. Both “%APPDATA%\\Microsoft\Windows\Cookies.txt” and “%APPDATA%\\Microsoft\Windows\Cookies.exe” are then deleted (MITRE ATT&CK framework ID [T1107)](https://attack.mitre.org/techniques/T1107/) The observed routines of this VBS closely follow the other reports published on Gamaredon, such as the one from [SentinelOne. However, the macro generated VBS](https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/) was obfuscated in this case, likely as an additional evasive tactic. Interestingly, after decoding the VBS, we saw what appeared to be a programming mistake by the attacker. Lines 53 and 54 in figure 6 are for closing those downloaded and decoded TXT and EXE files, which are variables defined right before the IF statement. If, however, these lines do not pass through this IF statement, an error would occur. It shows that this malware is not tested enough, and may still be under development. Our analysis found several URLs of the network destinations for both template injection and VBS. While resolving them to IP addresses to understand their attack bases, we also found that they were all linked to the following IP addresses. Network destination for template injection: 176[.]119[.]147[.]225 Network destination for VBS: 176[.]57[.]215[.]115 These IP addresses are from Russian hosting companies. Most likely, the attackers rented Virtual Private Server (VPS) as their attack base. Their URL for VBS (shown below) likely includes the data when they conducted the attack. hxxp://{FQDN}/{computer name}_{hexadecimal volume serial number}/help_{day}_{month}[.]php ### Conclusion Gameradon is not the first group to take advantage of the Covid-19 topic. Some cybercriminals have taken to indirect means of profiting, such as by targeting communication platforms that have increased in popularity after organizations shifted to work from home setups. In this case, they used Covid-19 as a cover for their relatively typical APT routine. We recommend these countermeasures to prevent similar APT attacks in the future: ----- Check the file extension of the attached file and make sure it is the intended file format. Avoid activating macro for any attached Microsoft Office files, especially for emails that request macro activation using an image of the body of the opened file or those that don’t show anything. Watch out for spoofed domains embedded in emails before opening them. Subtle changes to a popular URL can be one indicator of malicious content. In addition to these actions, users can also implement a multi-layer approach and take advantage of these solutions. [Trend Micro™ Smart Protection Suitesand](https://www.trendmicro.com/us/business/complete-user-protection/index.html) [Worry-Free™ Business Security protects users and businesses from similar threats by detecting malicious files and](https://www.trendmicro.com/us/small-business/product-security/) spammed messages as well as blocking all related malicious URLs. [Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises](https://www.trendmicro.com/us/enterprise/security-risk-management/deep-discovery/) by detecting malicious attachments and URLs. [Trend Micro™ Hosted Email Securityis a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing,](https://www.trendmicro.com/us/small-business/hosted-email-security/) ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, [Microsoft Office 365, Google Apps, and other](https://www.trendmicro.com/us/business/saas/cloud-app-security/office-365/index.html) hosted and on-premises email solutions. [Trend Micro™ OfficeScan™with](https://www.trendmicro.com/us/enterprise/product-security/officescan/) [XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat](https://www.trendmicro.com/us/business/xgen/index.html) intelligence for comprehensive protection against advanced malware. The [Trend Micro[TM]XDR solution effectively protects connected emails, endpoints, servers, cloud workloads, and networks. Trend Micro XDR uses powerful](https://www.trendmicro.com/en_us/business/products/detection-response/xdr.html) AI and expert security analytics to correlate data, as well as deliver fewer yet higher-fidelity alerts for early threat detection. In a single console, it provides a broader perspective of enterprise systems while at the same time giving a more focused and optimized set of alerts. ### Indicators of Compromise (IoCs) DOCX file SHA256 Detection Name 0d90fe36866ee30eb5e4fd98583bc2fdb5b7da37e42692f390ac5f807a13f057 W97M_CVE2017019 036c2088cb48215f21d4f7d751d750b859d57018c04f6cadd45c0c4fee23a9f8 Trojan.W97M.CVE2 19d03a25af5b71e859561ff8ccc0a073acb9c61b987bdb28395339f72baf46b4 [Trojan.XML.PHISH.](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.XML.PHISH.AE) 62cf22f840fffd8d8781e52b492b03b4efc835571b48823b07535d52b182e861 [W97M_CVE2017019](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/W97M_VBSDOWNLDR.ZYHC-A) 8310d39aa1cdd13ca82c769d61049310f8ddaea7cd2c3b940a8a3c248e5e7b06 Trojan.W97M.CVE2 84e0b1d94a43c87de55c000e3acae17f4493a57badda3b27146ad8ed0f90c93e Trojan.W97M.CVE2 85267e52016b6124e4e42f8b52e68475174c8a2bdf0bc0b501e058e2d388a819 Trojan.W97M.CVE2 b6a94f565d482906be7da4d801153eb4dab46d92f43be3e1d59ddd2c7f328109 Trojan.W97M.CVE2 cc775e3cf1a64effa55570715b73413c3ea3a6b47764a998b1272b5be059c25b Trojan.W97M.CVE2 **DOT file** **SHA256** **Detection Name** **TrendX** 00b761bce25594da4c760574d224589daf01086c5637042982767a13a2f61bea Mal_OLEMAL-4 250b09f87fe506fbc6cedf9dbfcb594f7795ed0e02f982b5837334f09e8a184b Mal_OLEMAL-4 4b3ae36b04d6aba70089cb2099e6bc1ba16d16ea24bbf09992f23260151b9faf Mal_OLEMAL-4 946405e2f26e1cc0bd22bc7e12d403da939f02e9c4d8ddd012f049cf4bf1fda9 Mal_OLEMAL-4 9cd5fa89d579a664c28da16064057096a5703773cef0a079f228f21a4b7fd5d2 Mal_OLEMAL-4 c089ccd376c9a4d5e5bdd553181ab4821d2c26fefc299cce7a4f023a660484d5 Mal_OLEMAL-4 W97M_VBSDOWNLDR.ZKHCe888b5e657b41d45ef0b2ed939e27ff9ea3a11c46946e31372cf26d92361c012 A W97M VBSDOWNLDR ZYHC Downloader.VBA.TRX.XXVBAF01FF00 7 ----- 79b1b24db7c78a4680637e3d5 1882.THCOCBO .XXVBAF01FF006 29367502e16bf1e2b788705014d0142d8bcb7fc [TrojanSpy.Win32.FAREI](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TrojanSpy.Win32.FAREIT.UHBAZCLIZ) N/A c6a47d56fb82d7e333454e923 T.UHBAZCLIZ 315e297ac510f3f2a60176f9c12fcf92681bbad7 Trojan.X97M.CVE20171 Downloader.VBA.TRX 58135767ba805cdea830b9ee 1882.THCOCBO .XXVBAF01FF006 3e6166a6961bc7c23d316ea9bca87d8287a4044 Backdoor.Win32.REMC Troj.Win32.TRX.XXP 865c3e73064054e805ef5ca1a OS.USMANEAGFG E50FFF034 3f40d4a0d0fe1eea58fa1c71308431b5c2ce6e38 [Trojan.MSIL.AGENTTE](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Trojan.MSIL.AGENTTESLA.THCOCBO) N/A 1cacc7291e501f4eed57bfd2 SLA.THCOCBO ab533d6ca0c2be8860a0f7fbfc7820ffd595edc6 3e540ff4c5991808da6a257d Trojan.X97M.CVE20171 N/A 1882.THCOCBO b78a3d21325d3db7470fbf1a6d254e23d349531 Backdoor.Win32.REMC Troj.Win32.TRX.XXP fca4d7f458b33ca93c91e61cd OS.USMANEAGFE E50FFF034 c9c0180eba2a712f1aba1303b90cbf12c111745 [TrojanSpy.Win32.FAREI](https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TrojanSpy.Win32.FAREIT.UHBAZCLIZ) Troj.Win32.TRX.XXP 1ce13b68715931abc437b10cd T.UHBAZCLIZ E50FFF034 ### C&C addresses Bambinos[.]bounceme[.]net bbtt[.]site bbtt[.]space harpa[.]site harpa[.]space harpa[.]website himym[.]site kristoffer[.]hopto[.]org kristom[.]hopto[.]org miragena[.]site miragena[.]xyz papir[.]hopto[.]org sabdja[.]3utilities[.]com sakira[.]3utilities[.]com seliconos[.]3utilities[.]com solod[.]bounceme[.]net sonik[.]hopto[.]org tele[.]3utilities[.]com violina[.]website voyager[.]myftp[.]biz voyaget[.]myftp[.]biz ### Mitre ATT&CK Framework ## Related Posts: **[Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/)** **[Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C](https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/)** **[Mac Backdoor Linked to Lazarus Targets Korean Users](https://blog.trendmicro.com/trendlabs-security-intelligence/mac-backdoor-linked-to-lazarus-targets-korean-users/)** **[Outlaw Updates Kit to Kill Older Miner Versions, Targets More Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/outlaw-updates-kit-to-kill-older-miner-versions-targets-more-systems/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [APT](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/apt/) -----  Recommend t Tweet f Share **Sort by Best** ### Start the discussion… **LOG IN WITH** **OR SIGN UP WITH DISQUS** Name Be the first to comment. ✉ **Subscribe** d **[Add Disqus to your siteAdd DisqusAdd](https://disqus.com/)** ⚠ **D** **[N t S ll M D t](https://disqus.com/data-sharing-settings/)** ### Security Predictions for 2020 Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats. [Read our security predictions for 2020.](https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2020) ### Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, [read our Security 101: Business Process Compromise.](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) ### Recent Posts [Exposed Redis Instances Abused for Remote Code Execution, Cryptocurrency Mining](https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/) [Grouping Linux IoT Malware Samples With Trend Micro ELF Hash](https://blog.trendmicro.com/trendlabs-security-intelligence/grouping-linux-iot-malware-samples-with-trend-micro-elf-hash/) [Gamaredon APT Group Use Covid-19 Lure in Campaigns](https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/) [Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems](https://blog.trendmicro.com/trendlabs-security-intelligence/exposing-modular-adware-how-dealply-iserik-and-managex-persist-in-systems/) [April Patch Tuesday: Fixes for Font-Related, Microsoft SharePoint, Windows Components Vulnerabilities](https://blog.trendmicro.com/trendlabs-security-intelligence/april-patch-tuesday-fixes-for-font-related-microsoft-sharepoint-windows-components-vulnerabilities/) ### Popular Posts [More Than 8,000 Unsecured Redis Instances Found in the Cloud](https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-8000-unsecured-redis-instances-found-in-the-cloud/) [Raccoon Stealer’s Abuse of Google Cloud Services and Multiple Delivery Techniques](https://blog.trendmicro.com/trendlabs-security-intelligence/raccoon-stealers-abuse-of-google-cloud-services-and-multiple-delivery-techniques/) [Dissecting Geost: Exposing the Anatomy of the Android Trojan Targeting Russian Banks](https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-geost-exposing-the-anatomy-of-the-android-trojan-targeting-russian-banks/) [Operation Poisoned News: Hong Kong Users Targeted With Mobile Malware via Local News Links](https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/) [Coronavirus Update App Leads to Project Spy Android and iOS Spyware](https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/) ### Stay Updated Email Subscription Your email here [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia /](http://www.trendmicro.com.au/au/home/index.html) [New Zealand, 中国, ⽇本, 대한민국, 台灣](http://www.trendmicro.co.nz/nz/home/index.html) Latin America Region (LAR): [Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States Canada](http://www.trendmicro.com/us/index.html) Your email here Subscribe ----- Copyright © 2020 Trend Micro Incorporated. All rights reserved. -----