Update: According to the latest heads-up from Arpil 7, 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) issued an alert with the details of the most recent phishing attack on Ukrainian state bodies hard on the heels of the attack kill chain a couple of days ago identified by the similar behavior patterns.
On April 4, 2022, CERT-UA launched an alert warning of an ongoing spear-phishing campaign targeting the government entities of Ukraine that involved spreading an email with a malware attachment. CERT-UA researchers believe that the hacking group tracked as UAC-0010 also known as Armageddon is behind spear-phishing attacks against Ukrainian government officials.
On the very same day, another CERT-UA heads-up came out warning of the newly detected activity attributed to the above-referenced threat actors. This time, the infamous hacking group Armageddon attacks European state agencies with victims being compromised likewise by the delivery of phishing emails with malicious attachments.
According to the Security Service of Ukraine (SSU), Armageddon has been in the spotlight in the cyber arena since 2013-2014. The cyber espionage group has been created as an integral part of the Federal Security Service of the Russian Federation aimed to perform targeted cyber intelligence and subversive activities against Ukrainian government entities in order to collect sensitive information. Threat actors are tracked as Armageddon APT also known as Gamaredon APT, with the latter group name derived from a misspelling of the word “Armageddon”.
Armageddon threat actors have leveraged similar TTPs to compromise a large number of users with phishing campaigns being one of their most widely used adversary methods. Over the period of their revealed activity, massively sending emails to potential victims with malicious attachments that lead to the dissemination of multiple malware strains has been the group’s primary attack vector, and the most recent cyber-attacks are no exception. The Gamaredon group applies simple tools written in VBScript, VBA Script, C#, C++, and other programming languages mostly relying on open-source software in the early days of their activity, while gradually tending to enrich their toolkit with a number of custom cyber espionage tools, including Pterodo/Pteranodon and EvilGnome malware.
As CERT-UA reported, the latest activity of the cyber espionage actors targeting Latvian state bodies involved sending phishing emails that contained malicious shortcut files within RAR archives. In the cyber-attacks on the Ukrainian government entities, Armageddon hackers spread email lures with subjects covering data on Russia-linked war criminals. These phishing emails contain an HTM attachment that, when opened, generates a RAR archive with a malicious LNK file, which further executes VBScript code and infects the compromised system.
Security practitioners can track the latest activity of the Armageddon (UAC-0010) hacking group using a set of curated Sigma-based detection rules from the SOC Prime Team:
All the above-mentioned detection rules are tagged as #UAC-0010 to streamline the search for content related to the malicious activity of the corresponding threat actors. To access the rule kit and hunt for threats, make sure to sign up or log into SOC Prime’s Detection as Code platform.
To delve into the context of the most recent cyber-attacks of Armageddon/UAC-0010 targeting Ukrainian and EU government officials, all dedicated Sigma-based detections are mapped to the latest version of the MITRE ATT&CK framework addressing the corresponding tactics and techniques:
Signed Binary Proxy Execution (T1218)
Hide Artifacts (T1564)
Command and Scripting Interpreter (T1059)