Russian Cybercriminals “Armageddon Group” Spreading New Tricky Phishing Emails with Great Deanonymization Flow

On April 4, 2022, the government emergency response team of Ukraine CERT-UA has warned of a massive spear-phishing campaign launched by a hacking group UAC-0010 (Armageddon), which is linked to the FSB.

It has been informed, that UAC-0010 disseminates malicious emails with the subject “Information on Russian war criminals” with the HTML-file “War criminals of the Russian Federation.htm“. The tricky part is that HTML files are not detected by antivirus, so if opened, it creates a RAR-archive “Viyskovi_zlochinci_RU.rar” which contains a file label “War criminals destroying Ukraine (home addresses, photos, phone numbers, pages on social networks) .lnk”.

Opening this label will download an HTA-file containing VBScript-code, which, in its turn starts to download and run the PowerShell script “get.php” (GammaLoad.PS1). The task of the latter is to determine the unique identifier of the computer (based on the computer name and the serial number of the system disk), transfer this information for use as an XOR key to the management server via an HTTP POST request, and download, XOR decoding and start payload. As a result, the malicious actor gains remote access to the system.

How Does It Work?

Access the list of IoC and the original investigation by CERT-UA.