Armageddon Threat Actors aka UAC-0010 Spread GammaLoad.PS1_v2 Malware in Yet Another Phishing Attack on Ukraine

In spring 2022, the notorious Russian nation-backed cyber espionage group Armageddon, also tracked as UAC-0010, launched a series of targeted phishing cyber-attacks against Ukrainian and European state bodies. On July 26, 2022, CERT-UA issued a series of new cybersecurity alerts warning the global cyber defender community of a wave of novel phishing campaigns by these Russia-linked threat actors targeting Ukraine and massively distributing GammaLoad.PS1_v2 malware.

Armageddon APT (UAC-0010) Latest Cyber-Attack Analysis: Mass Distribution of GammaLoad.PS1_v2 Malware

Since 2014 and with the escalation of the russian aggression against Ukraine on February 24, 2022, russia has been evolving its hybrid warfare and advancing cyber espionage campaigns. According to the technical report by the Security Service of Ukraine (SSU), the Armageddon hacking collective, which is also known as Gamaredon based on the misspelling of the original group name, has been created as a special unit to perform intelligence and cyber espionage activities against the Ukrainian state bodies. 

Following a series of cyber-attacks in spring 2022 launched by Armageddon APT group, threat actors are on the rise once again exploiting the phishing email attack vector. Earlier, in April 2022, the group also identified as UAC-0010 launched a series of cyber-attacks targeting Ukrainian and European state bodies spreading phishing emails with malicious attachments. One month later, the Armageddon group reemerged in the cyber threat arena leveraging its most preferred phishing attack vector to deploy GammaLoad.PS1_v2 malicious software on the compromised systems.

According to the latest CERT-UA alerts, the UAC-0010 hacking collective massively distributes targeted phishing emails leveraging war-related lures as email subjects and disguised as the National Academy of the Security Service of Ukraine senders. These spoofed emails contain an HTM dropper that triggers an infection chain. Once opened, the latter creates a malicious RAR archive with an LNK shortcut file used as a lure to trick victims into opening it. If opened, the above-mentioned LNK file downloads and runs an HTA file containing VBScript code, which applies PowerShell to decrypt and launch GammaLoad.PS1_v2 malware on the targeted computers. To evade detection, attackers apply external services to prevent the DNS resolution of C2 servers. 

Due to a dramatic increase in phishing cyber-attacks leveraging the above-mentioned adversary techniques, it is strongly recommended that global organizations should implement comprehensive attack surface management programs as part of their cybersecurity strategies. Using the external email services on the organization’s devices prevents the email contents from proper security checks, which can potentially lead to phishing attacks. 

Detecting the UAC-0010 Activity: Sigma Rules to Defend Against Emerging Phishing Cyber-Attacks

With a constantly increasing number of phishing cyber-attacks targeting thousands of organizations across the globe, cyber defenders come to realize that proactively defending against the related malicious activity is a top priority for enhancing the organization’s cybersecurity posture. SOC Prime’s Detection as Code platform curates high-fidelity alerts and verified threat hunting queries to enable organizations to timely identify the malicious activity of the Armageddon threat actors (UAC-0010) covered in the latest CERT-UA alerts. 

For streamlined content search, all detections are tagged as #UAC-0010 based on the identifier associated with the adversary activity. Registered SOC Prime users can take advantage of the dedicated Sigma rules by following the link below: 

Sigma-based rules to spot the malicious activity of Armageddon APT (UAC-0010) covered in the latest CERT-UA alerts

Cybersecurity professionals are also welcome to access more Sigma rules to detect cyber-attacks by the Armageddon group aka Gamaredon by clicking the Detect and Hunt button below. Alternatively, InfoSec practitioners can browse SOC Prime’s cyber threats search engine for the UAC-0010 adversary activity and instantly explore comprehensive threat context like MITRE ATT&CK® and CTI references, media links, executable binaries linked to Sigma rules, and more contextual metadata along with related detections even without registration.

Detect & Hunt Explore Threat Context

MITRE ATT&CK® Context

To gain insights into the MITRE ATT&CK context of the latest cyber-attacks of the Armageddon APT group aka UAC-0010, all dedicated Sigma rules are aligned with MITRE ATT&CK® framework addressing the corresponding tactics and techniques: