CERT-UA has observed phishing attempts associated with a Russian threat group Armageddon (aka Gamaredon). The malicious emails infect the target systems with malware with the goal of espionage.

Armageddon campaigns

The agency has spotted two separate cases of phishing attacks and linked them to Armageddon. 
  • While one campaign targets Ukrainian organizations, the other focuses on government agencies in the European Union.
  • In at least one case, emails were being sent to the Latvian government. Therefore, the same campaign could be targeting other European governments as well.

The Ukraine campaign 

The Armageddon campaigns aimed at Ukraine distribute emails with information on war criminals of the Russian Federation, to different government agencies in the country.
  • The emails were sent from vadim_melnik88@i[.]ua and were accompanied by an HTML attachment that CERT-UA claims have a low detection rate by security software at present.
  • When opened, a RAR file is created and dropped automatically on the computer, which claims to include the identification details of the war criminals in Ukraine in a shortcut file (.lnk).
  • Instead of finding the supposed details, any recipient who clicks on the LNK file downloads another HTA file loaded with VBScript code that runs PowerShell script to obtain the final payload.

The EU campaign

In this campaign, the attacker is found targeting different EU government officials, where the threat group uses RAR archive attachments named “Necessary_military_assistance” and “Assistance”.
  • The archives have shortcut files that supposedly include lists of things required for military and humanitarian assistance. Opening the file starts the same malware infection chain mentioned above.
  • The address of the sender is info@military-ukraine[.]site, which seems legitimate, while the signee looks to be Deputy Commander for Armaments and Major General in Ukraine.

Conclusion

Since the invasion by Russian forces, Ukraine's government and businesses are facing constant cyberattacks. The recent phishing attacks from Armageddon have joined the growing list of threat groups targeting Ukraine. Thus, concerned organizations are recommended to follow the guideline on the CERT-UA site for countermeasures.

Cyware Publisher

Publisher

Cyware