VBA-based Malware Used By Russian Hackers Against Embassies
Checkpoint Software, a cybersecurity vendor, released a report accusing Russian hackers of being behind the massive malicious spam campaigns against the embassies of Lebanon, Kenya, Bermuda, Nepal, Buyana, Italy and Liberia using trojanized remote software. The spam emails were pretending to be originating from the U.S. Department of State, making it persuasive for users in these embassies to open the attached malicious Excel file, loaded with a macro virus.
Macro viruses are no longer a new type of malware, it has been floating in the web since Visual Basic for Applications was added as part of Microsoft Office since 1996 in Microsoft Office 97 suite. Opening the malicious macro-enabled Excel attachments triggers a modified version of Teamviewer (a mainstream remote access tool popular with gamers), which can serve as a RAT (remote access trojan), unknown to the users of the computer.
“The attack, which starts with a malicious attachment disguised as a top-secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer. By investigating the entire infection chain and attack infrastructure, we were able to track previous operations that share many characteristics with this attack’s inner workings. We also came across an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack,” explained Checkpoint.
Though the origin of the malicious emails was traced to Russian hackers, there is still no direct link between them and Kremlin. One example of the malicious email had a subject line: “Military Financing program” with an Excel sheet named: “Military Financing.xlsm. The email contains a genuine-looking U.S. Department of State logo and insignia, and it was even marked as “Top Secret”. The Excel file has a hex-encoded cell, which was deliberately used to store coded information. The macro contained in the Excel file is designed to extract that hex-encoded information, to turn it into 3 files:
- Htv.ahk: has the instructions to download a trojanized version of Teamviewer. It is also responsible for sending the captured user credentials to the command and control center.
- Hscreen.ahk: as the name implies, it is the module responsible for creating and sending screenshots of the activities of the computer to the command and control servers.
- Hinfo.ahk: serves as the recoinnnace module, which probes the computer for information.
The Teamviewer program downloaded from the command and control servers is vastly different from the publicly available legitimate copy of Teamviewer. Its process does not show in the Windows Task Manager (possibly to bypass visual detection). Logs the information captured to a certain text file. Able to serve as a loophole for the hackers to upload more malicious files to the infected computer.
“It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world. Nevertheless, the observed victim’s list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities,” added Checkpoint.