Gamaredon Leverages Microsoft Office Docs to Target Ukraine Government and Military

Summary

The Gamaredon Group, a misspelled anagram of "armageddon", is a Russian state-sponsored cyber-espionage group that has perpetrated cyberattacks against military, government, and non-profit organizations in Ukraine since at least 2013.

This threat actor group leverages legitimate Microsoft® Office documents to carry out remote template injection. The technique works even with Microsoft® Word security features enabled. This means attackers can bypass Microsoft Word macro protections to compromise target systems with malware, gain access to information, then spread the infection to other users.

In this blog, we’ll examine how Gamaredon operates this campaign, and share Indicators of Compromise (IOCs), mitigation tips, and YARA rules to defend against this and similar attacks.

Operating System

Risk & Impact

Who Is the Gamaredon Group?

As the Russian invasion of Ukraine drags on into its ninth month, the machinery of cyber warfare also continues running covertly in the background. The Gamaredon threat actor group has become very active in recent months — just open Twitter and type in #Gamaredon, and you’ll find several tweets a week with new IoCs and samples.

Also known as Shuckworm, IRON TILDEN, Primitive Bear, WinterFlounder, and ACTINIUM, the Gamaredon Group is one of the most active advanced persistent threat (APT) groups targeting Ukraine today. It is well-known for its phishing attacks, usually utilizing emailed Microsoft Office document attachments to gain initial access to systems. More recently, the group adopted the use of remote template injection in a document to gain initial access. When executed, the malicious document downloads a self-extracting archive containing a LNK file, which is a Windows shortcut that serves as a pointer to open a file, folder, or application. This continues the attack chain.

Ukraine has publicly claimed that Russia is behind the Gamaredon Group, which has been active since at least 2013. This is evidenced in many reports from CERT-UA, and from other official Ukrainian organizations over time. This timeline coincides with the beginning of the Euromaidan protests, which happened that same year and ultimately unseated pro-Russian Ukrainian President Viktor Yanukovych.

The word “armageddon” was detected in the threat actor’s early campaigns; in particular, a cyber espionage campaign seemingly devised to give Russian leadership a military advantage by targeting the Ukrainian government, law enforcement, and military officials. The campaign’s objective appeared to be stealing information that could provide insight into near-term Ukrainian intentions and plans, potentially giving Russia a tactical advantage in its physical warfare against Ukraine.

According to a sparsely-worded November 2021 report from the Security Service of Ukraine (SSU), the group and its previous incarnations are thought to have been responsible for over 5,000 attacks against more than 1,500 Ukrainian government systems since 2014. The group’s goals, as noted by the SSU, included:

• Control over critical infrastructure facilities (power plants; heating and water supply systems)
• The theft and collection of intelligence, including information with restricted access (related to security and defense sector; government agencies)
• Informational and psychological influence
• Blocking information systems

Technical Analysis of Gamaredon Attacks

To understand how the technique of remote template injection works, we must first look more closely at the .docx file format. With the release of Office 2007, Microsoft changed the default file name extension of Office documents from .doc to .docx. This switch reflected the company’s implementation of an open-source format called Open XML. The “X” on docx refers to this. At its most basic level, it is an archive containing several XML files that make up the document. This was a fundamental change to the way that the file’s data is stored.

Microsoft Word also allows the user to create and share new templates, which are stored in .dotm files. Microsoft Office default templates are located in the C:\Users\USER\AppData\Roaming\Microsoft\Templates\ folder. If you take a look in there on your own machine, you will see the Normal.dotm template. This template is loaded every single time Microsoft Word is opened on your computer. Template files can be loaded locally, like Normal.dotm, or from remote sources. Loading a document from a remote source is what makes the attack technique of template injection possible.

Remote template injection does not have to rely on the user enabling macros (a common infection technique of the past) since no VBScript is present in the file. As soon as the user opens the document, the altered template will load in Word and begin its full download from the malicious URL inside the template. This technique corresponds with CVE-2017-0199.

Figure 1: Example documents with remote template injection

To begin its attacks, the Gamaredon Group frequently sends phishing emails to deliver malicious documents to users at specifically targeted organizations. As an example, if you look at the document on the left of Figure 1 above, taken from a recent campaign, you’ll see the header is “СЛУЖБА БЕЗПЕКИ УКРАЇНИ,” which translates to “SECURITY SERVICE OF UKRAINE.” The second document, on the right of Figure 1, has the header “Командиру військової частини А4267,” which means “To the commander of the military unit A4267.” These documents were clearly crafted with the intention of targeting those who run Ukrainian military systems.

Figure 2: Remote template download code

Since a .docx file is really just an archive, we can use the free open-source file archiver 7Zip to extract the contents and look inside. If we navigate to .\word\_rels\settings.xml.rels in our sample, the contents of the file can be seen in Figure 2, above. The file will download a self-extracting archive which contains a LNK file. As another example, one of the LNK files BlackBerry recently examined was named “Запит Спеціалізованої прокуратури у військовій та оборонній сфері Центрального регіону від 15.08.2022 року.” This translates to “Request of the Specialized Prosecutor's Office in the Military and Defense Sphere of the Central Region dated 15.08.2022.”

How the Gamaredon Group Maintains Persistence

Along with downloading the self-extracting archive, a new Normal.dotm template will be created by Gamaredon to replace the original Normal.dotm template on the user’s machine. When a document is manipulated by the user in Microsoft Word, the Normal.dotm template is always loaded. So, in the event of a Gamaredon attack, every time a document is opened, created, or shared from the affected system, the malicious template will be shared. This creates persistence on the target machine, and perpetuates the infection.

Figure 3: Properties of a malicious LNK file, along with the execution command

When we right-click and open the Properties dialog of a malicious LNK file and look at the “Target” field, we can see that a command is present. The LNK will try to execute mshta.exe to download a PowerShell script that begins data collection on the users’ system. Mshta.exe is a Windows-native binary designed to execute Microsoft HTML Application (HTA) files. Once information has been collected, the PowerShell will then communicate the data to Gamaredon’s command and control (C2) server.

Figure 4: PowerShell capturing the user’s screen and creating a web client

After the above takes place, “System.Windows.Forms” is activated to take screen captures of the user’s system. The screenshots will be saved locally as “test.png.” The screenshots are Base64-encoded. Additionally, the PowerShell script will transmit the user’s volume serial number and computer name to the C2.  

With the system now fully compromised and the malicious template covertly present in Word, Gamaredon is able to continue accessing the system and serving new malicious payloads for as long as the infection is present.

Conclusion

The existence of groups like Garmaredon makes it abundantly clear that Russian-affiliated threat actors have continued to advance the state’s information warfare components. The use of remote template injection has thus far proven highly effective at gaining access to systems and achieving persistence. Even with Microsoft Word security features enabled, remote template injection will continue to be utilized by malware authors. The technique’s ability to bypass Microsoft Word macro protections and create persistence by replacing standard Word templates simplifies the process of getting users systems to connect to malicious sites and download their noxious payloads.

What Are Gamaredon’s Targets?

The primary targets of Garmaredon are users of systems based in Ukraine, spread across a broad set of industries. Military, government, law enforcement, non-profits, and non-government organizations have all been targeted in the past. The long-term goal of the Garmaredon Group appears to be the exfiltration of sensitive or strategically useful Ukrainian data.

Mitigation Tips

• Sender Reputation Analysis (D3-SRA) – Never open attachments from a non-trusted source.
• Software Update (D3-SU) – Keep your system’s software up-to-date to keep up with the latest security patches.
• Remote Terminal Session Detection (D3-RTSD) – Network administrators should monitor closely for exchanges of information with unknown sources.

YARA Rule for Garmaredon Malware

The following YARA rule was authored by the BlackBerry Research & Intelligence Team to catch the threat described in this document:

Indicators of Compromise (IoCs)

References:

https://cert.gov.ua/article/1229152

https://cert.gov.ua/article/971405

https://cert.gov.ua/article/2681855

https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/

https://inquest.net/blog/2022/06/27/glowsand

https://www.secureworks.com/research/threat-profiles/iron-tilden

https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/

https://lookingglasscyber.com/resources/white-papers/operation-armageddon-cyber-espionage-gamaredon/

https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html

Technical Report on Armageddon / Gamaredon (PDF) – Security Service of Ukraine

Tale of Gamaredon Infection (PDF) – CERT-EE / Estonian Information System Authority

BlackBerry Assistance

If you’re battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance. Please contact us here: https://www.blackberry.com/us/en/forms/cylance/handraiser/emergency-incident-response-containment

Related Reading

• Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations 
• RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine
• Communications Security: Lessons Learned From Ukraine
• Ukraine Cybersecurity Leader Shares Defense Insights from the Cyber and Physical Front Lines