Microsoft has published findings on cyber attackers’ recent hacking operations, most likely affiliated with the Russian Federal Security Service (FSB), which have attacked Ukraine’s government, security institutions, and aid organizations. Since October, Microsoft claims that the hacker group Actinium has “targeted or compromised accounts” at Ukraine emergency response groups. According to a recent report, Actinium hackers allegedly targeted groups coordinating international and humanitarian help to Ukraine.
The gang is called Armageddon by the Security Service of Ukraine (SSU). According to SSU, the group’s first activity dates back to at least 2014, and it concentrates on intelligence collection in Crimea, mainly through phishing and malware. Armageddon is notorious for launching primitive but bold cyberattacks against Ukraine’s security, defense, and law enforcement services to obtain intel. As concerns grow about Russia’s apparent plans to invade Ukraine, Microsoft prioritized its research on Actinium’s recent actions.
According to Microsoft, the group’s techniques continuously improve and prioritize anti-malware evasion, even though they aren’t very smart or inconspicuous. It employs a variety of targeted “spear-phishing” emails that leverage remote document templates and remote macro scripts to infect just specified targets while avoiding detection by anti-malware systems that scan attachments. The group also uses ‘web bugs,’ which allow the sender to track when a message is opened and displayed. Documents mimicking the World Health Organization and carrying COVID-19 updates are among the lures.
The phishing files contain a payload that executes secondary payloads on a hacked device. To ensure persistence, it employs various ‘staging’ scripts, including severely obfuscated VBScripts, obfuscated PowerShell commands, self-extracting archives, and LNK files, which are backed up by oddly called scheduled activities in scripts. Actinium used over 25 distinct domains and over 80 unique IP addresses to support payload staging and its command and control (C2) infrastructure for a month, showing that they often change their infrastructure to thwart investigations. With the domains registered through the genuine firm registrar REG.RU, the majority of its DNS records for the domains likewise update once a day.
According to Microsoft, the gang used Pterodo malware to get interactive access to target networks. It also used the legal UltraVNC application for interactive connections to targets in some situations. QuietSieve, another crucial element of Actinium malware, is used to exfiltrate data from a compromised server as well as receive and execute a remote payload from the operator. Actinium, according to Microsoft, quickly generates a variety of payloads with lightweight capabilities using obfuscated scripts that are then used to distribute more powerful malware. Antivirus detection is aided by the agile creation of these scripts, which Microsoft characterizes as “fast-moving targets with a high degree of variance.” DinoTrain, DilongTrash, Obfuberry, PowerPunch, DessertDown, and Obfumerry are some of these downloaders.