Armageddon group by European Union & Ukrainian government.

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert warning of an ongoing spear-phishing attempt aimed at delivering an email with a malware attachment to Ukrainian government institutions and European state agencies. According to CERT-UA researchers, the hacker organization UAC-0010, also known as Armageddon, is responsible for spear-phishing attempts against Ukrainian government personnel.

The group’s principal attack vector has been mass-sending emails to potential victims with harmful attachments that lead to the spread of different malware strains throughout the course of their exposed activity, and the most recent cyber-attacks are no exception. In the early days of their activity, the Gamaredon group used simple tools written in VBScript, VBA Script, C#, C++, and other programming languages, mostly relying on open-source software, before gradually expanding their toolkit with a number of custom cyber espionage tools, such as Pterodo/Pteranodon and EvilGnome malware.

The Mitre TTPs used by Armageddon are:

TA0001: Initial Access

TA0002: Execution

TA0005: Defense Evasion

T1566: Phishing

T1218: Signed Binary Proxy Execution

T1564: Hide Artifacts

T1059: Command and Scripting Interpreter