With the outbreak of the global cyber war, the malicious activity of the Armageddon cyber-espionage group aka Gamaredon or UAC-0010 has been in the limelight in the cyber threat arena targeting Ukrainian state bodies. The hacking collective launched a series of phishing cyber-attacks, including campaigns in May spreading GammaLoad.PS1_v2 malware and in April 2022. On August 10, 2022, CERT-UA released a new alert warning cyber defenders of ongoing phishing cyber-attacks on Ukraine leveraging GammaLoad and GammaSteel malware.
Throughout the first half of 2022, since Russia’s full-scale invasion of Ukraine, the infamous Russian nation-backed APT group tracked as Armageddon aka UAC-0010 has been actively leveraging the phishing attack vector and launching multiple targeted malicious campaigns against Ukraine. The hacking collective has been massively distributing HTM droppers that trigger infection chains and deploy GammaLoad.PS1 payload on the compromised systems.
According to the cybersecurity research covered in the CERT-UA alert CERT-UA#5134, attackers aim to steal data based on the defined list of extensions along with user credentials from web browsers. To gain access to this sensitive data, threat actors leverage GammaSteel.PS1 and GammaSteel.NET malware, the former being the PowerShell iteration of the previously applied HarvesterX infostealer.
In the latest campaigns, the Armageddon APT group also resorts to the remote template injection attacks by infecting the template file by means of a malicious macro that generates a URL and adds it as an attachment to the newly created document. This leads to infecting all files created on the victim’s computer along with their further unintentional distribution by the compromised user.
Threat actors mainly apply scheduled tasks, the Run registry branch, and changing environments to achieve persistence and deploy payloads, as well as run malicious PowerShell scripts and abuse legitimate executable files like wscript.exe or mshta.exe.
Due to escalating volumes of phishing campaigns attributed to the adversary activity of the Russia-linked Armageddon APT group, cybersecurity practitioners are searching for new ways to timely identify the malicious presence of related malware in their environment. SOC Prime’s Detection as Code platform offers a curated list of Sigma rules tagged accordingly based on the group identifier “UAC-0010” to simplify the content search for the related malicious activity. High-fidelity alerts and hunting queries from this collection of detection algorithms are convertible to the industry-leading SIEM, EDR, and XDR technologies.
Follow the link below to instantly gain access to the dedicated detection stack available right from SOC Prime’s Cyber Threats Search Engine, along with comprehensive contextual information enriched with MITRE ATT&CK® and CTI references, executable binaries linked to Sigma rules, and more relevant metadata:
Threat Hunters and Cyber Threat Intelligence specialists can also search for indicators of compromise associated with the malicious activity of the UAC-0010 group covered in the latest CERT-UA alert. In addition, teams can take advantage of Uncoder.CTI to generate relevant custom IOC queries ready to run in the selected SIEM or XDR environment.
To obtain more Sigma rules to detect the malicious activity of the Armageddon hacking collective, also dubbed Gamaredon, click the Detect and Hunt button. Non-registered SOC Prime users can also instantly reach context-enriched detections for related threats using our Cyber Threats Search Engine by clicking the Explore Threat Context button below.
To delve into the MITRE ATT&CK context related to the malicious activity of the Armageddon threat actors (UAC-0010), all Sigma rules within the above-mentioned detection stack are aligned with MITRE ATT&CK® framework addressing the corresponding tactics and techniques:
Signed Binary Proxy Execution (T1218)
Hide Artifacts (T1564)
Command and Scripting Interpreter (T1059)