Attacks on European Union and Ukrainian government entities carried out by the Armageddon group

Threat Advisories

Attacks on European Union and Ukrainian government entities carried out by the Armageddon group

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert warning of an ongoing spear-phishing attempt aimed at delivering an email with a malware attachment to Ukrainian government institutions and European state agencies. According to CERT-UA researchers, the hacker organization UAC-0010, also known as Armageddon, is responsible for spear-phishing attempts against Ukrainian government personnel.

The group’s principal attack vector has been mass-sending emails to potential victims with harmful attachments that lead to the spread of different malware strains throughout the course of their exposed activity, and the most recent cyber-attacks are no exception. In the early days of their activity, the Gamaredon group used simple tools written in VBScript, VBA Script, C#, C++, and other programming languages, mostly relying on open-source software, before gradually expanding their toolkit with a number of custom cyber espionage tools, such as Pterodo/Pteranodon and EvilGnome malware.

The Mitre TTPs used by Armageddon are:

TA0001: Initial Access       

TA0002: Execution       

TA0005: Defense Evasion       

T1566: Phishing

T1218: Signed Binary Proxy Execution

T1564: Hide Artifacts

T1059: Command and Scripting Interpreter

Actor Detail

Attacks-on-European-Union-and-Ukrainian-government-entities-carried-out-by-the-Armageddon-group

Indicators of Compromise (IoCs)

Attacks-on-European-Union-and-Ukrainian-government-entities-carried-out-by-the-Armageddon-group
Attacks-on-European-Union-and-Ukrainian-government-entities-carried-out-by-the-Armageddon-group

References

https://cert-gov-ua.translate.goog/article/39386?_x_tr_sl=uk&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp,

https://cert-gov-ua.translate.goog/article/39086?_x_tr_sl=uk&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp,

https://cert-gov-ua.translate.goog/article/39138?_x_tr_sl=uk&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp

Sign up to receive our Weekly Threat Digest