Cybersecurity firm Kroll has discovered a new espionage campaign using a malware strain dubbed Gonepostal, attributed to the Russian-linked hacking group KTA007, also known as Fancy Bear, APT28, and Pawn Storm.
KTA007, linked to Russia's GRU Unit 26165, has been responsible for major cyberattacks including the 2016 DNC breach, IOC hacks, and incidents targeting the Norwegian Parliament. The group is known for advanced tactics including zero-day exploits, spear phishing, and custom malware.
The Gonepostal malware targets Microsoft Outlook and enables email-based command-and-control (C2) communication, effectively turning the email client into a backdoor.
The malware consists of a dropper DLL and an obfuscated, password-protected VbaProject.OTM file containing malicious Outlook macros. When activated, the malware uses Outlook's startup process to parse C2 email addresses, command types, and filetypes, allowing remote attackers to issue commands via email.
Key components include a malicious, unsigned SSPICLI.dll, masquerading as Microsoft’s legitimate version, and a renamed original DLL file (tmp7EC9.dll) to avoid detection. The malware is activated through a registry setting that forces Outlook to load VBA macros on boot.
Kroll analysts found that not all malware’s functionality is currently in use, suggesting that the tool is still in development.
“The campaign is a good example of living-off-the-land, using common business tools and methods of communication for command and control. Interception of email communications and a platform for tool ingress over legitimate means enables a stealthy manner of access which could be difficult to detect,” the researchers noted. “While Outlook based persistence is not new, and has been observed before from KTA488 (aka APT32,), GONEPOSTAL is not a commonly seen tactic; and many may not have alerts tuned regarding behavior of the VbaProject.OTM files nor the registry edits which enable the macros to be loaded from the OTM file at Outlook launch.”