Russian state sponsored threat actors are using malicious Microsoft Office documents with remote macros to compromise Ukrainian targets. With tensions between Russia and Ukraine at a boiling point, we would not be surprised if these attacks to pivot to U.S. targets in critical sectors once sanctions are imposed against Russia by western nations. This is not a new attack technique and is something that Microsoft has known to be abused for years, but has always maintained the position that it’s a “feature”. Microsoft is finally doing something about it and IT managers can too.
Recently, the Microsoft Threat Intelligence Center (MSTIC) shared information about a Russian threat group that goes by the names “ACTINIUM” and “Gamaredon”. The group has been around for almost a decade but with tensions between Russia and Ukraine at a boiling point, activity has intensified. A recent phishing campaign by ACTINIUM paralleled some of the techniques we’ve seen recently at Assura (and used ourselves in authorized phishing tests) so we’d like to take this opportunity to explain this threat, tactic, and technique.
What Do We Know About This Attack?
Microsoft has seen ACTINIUM intensify cyber espionage campaigns against Ukraine over the past six months. The most recent activity update provided by MSTIC in early February of 2022 describes a phishing technique that some information security professionals may be familiar with, but that most won’t recognize, dubbed “remote template injection”. This technique utilizes remote Office templates to load Visual Basic macros into documents that do not natively support macros. The most common documents that users recognize support macros are .docm for Word and .xlsm for Excel. A full list of Office file formats that support Visual Basic can be found here: https://support.microsoft.com/en-us/office/file-formats-that-work-with-visual-basic-69afddfd-4479-4466-9f37-3f4046b5e107.
Remote template injection leverages lesser-known features within Office to load a remote document template that contains macros. This allows the threat actor to use non-macro supporting formats such as .docx and .xslx to load malicious macros via a remotely hosted .dotm or .xstm template. This technique helps threat actors to do two things:
- Evade email and endpoint security tools. Less effective email security and endpoint protection tools that do only static analysis of files will likely miss the fact that the remote template is importing a malicious VBA macro.
- Defeat user security training because oftentimes users are taught to look for macro specific extensions such as .docm or .xslm along with the macro-enabled icon. An example of the macro-enabled icon for a Microsoft Word document is below:
In the past, Microsoft has resisted taking steps to mitigate this misuse of remote macros because this functionality is viewed by them as a feature of their Office product suite.
In addition to utilizing the remote-template injection technique, the ACTINIUM threat actors utilized a technique familiar to information security professionals – they used “web bugs” to track the opening of emails. Just as information security professionals track their user base’s performance with phishing campaigns, ACTINIUM tracked their phishing targets for interaction with their malicious emails to better understand which users represented prime targets for ongoing campaigns. The “web bugs” used in this case were small hidden images that would ping a DNS server controlled by the threat actor with a unique string associated with each user so that they could track who was opening and viewing emails. This is the same technique for tracking phishing email open in common training tools like KnowBe4 or GoPhish.
If the user opened the phishing email, opened the attachment, then enabled the macros, they would have their machine infected with a tool used specifically for remote control and data exfiltration by ACTINIUM.
Assura’s reason for highlighting this campaign isn’t that it’s new or novel – this attack technique has been utilized for years. We’re highlighting it because, although it’s currently being used by Russian government-affiliated threat actors against Ukraine, it is probable that these campaigns will pivot to U.S.-based entities after retaliatory sanctions are imposed by western governments if Russia launches a full-scale invasion of Ukraine. We anticipate that these attacks will target critical infrastructure, national security/defense industrial base, finance, healthcare, and governments at all levels.
Among our SOC and email security clients, Assura sees advanced threat actors frequently implement this remote template injection attack as a security bypass mechanism. Our Offensive Security team successfully utilizes this attack to test our clients’ defenses and end-user awareness.
The good news is that Microsoft is finally taking steps to prevent users from executing remote macros accessed over the Internet. With the release of Microsoft Office 2203, macros that do not come from a “Trusted Location” on the internet or are signed by a “Trusted Publisher” will be prevented from running entirely. No more will you experience users clicking “Enable Macro” and infecting your environment.
Office Version 2203 will be released in the Current Channel (Preview) in early April 2022. The change will be available in Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel “later”. At a future date to be determined, Microsoft also plans to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013. Until that time, your organization may be vulnerable to this attack.
You can read more about this change and how it will affect your organization here: https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805
Until your organization updates to Office Version 2203, all is not lost if you are targeted with a campaign that utilizes remote template injection. We recommend that all our clients and readers implement a defense-in-depth security architecture to defend against such attacks. For this specific type of attack the architecture would look like this:
- Disable macros in your environment by default and allow them by exception. Not all users need macros for their job duties. This feature should be enforced under the concept of “least privilege”.
- Utilize an advanced email security tool that sandboxes attachments and, as part of that sandboxing, downloads remote macros to detect malicious behavior.
- If your email security tools fail, users should be trained to detect unsolicited or suspicious emails as well as not to enable macros if macros are allowed in your environment.
- If your email security and end-user training don’t catch this, then a Next-gen AV or Endpoint Detection and Response (EDR) tool should be able to detect the malicious macro in-memory at runtime and shut things down by killing and quarantining the file.
- Finally, if all else fails your organization should be logging and monitoring endpoint and network traffic via tools such as SIEM and Network Intrusion Detection Systems (NIDS). NIDS monitoring network traffic for known bad-traffic and suspicious traffic along with strong correlation rules and adequate logging being forwarded to the SIEM should enable defenders to detect lateral movement and exfiltration of data in your environment so that your organization can respond appropriately and quickly.
If you’re an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura SOC Concierge if you have questions about this technique or how you can better defend against it. Otherwise, please contact us at [email protected].
Microsoft Threat Intelligence Center Announcement – https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/
Microsoft – Macro Supported Documents – https://support.microsoft.com/en-us/office/file-formats-that-work-with-visual-basic-69afddfd-4479-4466-9f37-3f4046b5e107
MITRE ATT&CK Template Injection – https://attack.mitre.org/techniques/T1221/
Microsoft Tech Community Article on Macro Blocking – https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805