Russian cyber gang Armageddon leaves 30 minutes to react


Russian cyber gang Armageddon's current tactics have been revealed in Ukraine. Focused on using messengers and emails from previously compromised accounts, perpetrators steal sensitive documents within 30–50 minutes after the user opens a malicious file.

Armageddon, one of the most dangerous Russian-linked hacking groups, is becoming increasingly offensive in the IT systems of Ukrainian public institutions. Active since 2014, Armageddon is also known as Gamaredon, UAC-0010, Trident Ursa, Primitive Bear, and Shuckworm.

The Ukrainian Computer Emergency Response Team (CERT-UA) shared their current tactics and warned that less than one hour from initial infection is needed for adversaries to start stealing data.

ADVERTISEMENT

The primary attack vector of the group is spear-phishing attacks using emails and messages on Telegram, WhatsApp, Signal, or other messengers. They use previously compromised accounts. The most widespread method is sending an archive containing an HTM or HTA file. This initiates a chain of infections upon opening.

“Within 30–50 minutes following the initial infection, the perpetrators are able to steal files with the extensions .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, .mdb, mostly by using GAMMASTEEL malware products,” CERT-UA said.

Secondary attack vectors include spreading malware through infected removable storage media, legitimate files, shortcuts, and modified Microsoft Office Word templates. Those infect every document created on the device by adding macros.

The infection spreads rapidly within organizations’ networks, and the number of infected computers sometimes reaches several thousand at a time. A single device may contain around one hundred instances of malicious files after just one week.

Distribution of malicious files using Signal

A characteristic feature of the GAMMASTEEL stealer is creating a log file. It may be called “%LOCALAPPDATA%\_profiles_1_new_.ini” and contain the stolen files' hash sums. The number of entries in this log equals the number of stolen files.

Russian cybercriminals also use remotely executed commands and may install “Anydesk” or similar software on an infected machine for remote access. To bypass two-factor authentication, the gang members steal session data (cookies) via the PowerShell script.

Attackers use automated tools to avoid detection, as the IP addresses of intermediate control nodes change at least 3-6 or more times during the day.

ADVERTISEMENT

The cleanup also requires attention. Even after OS reinstallation, if a single affected document is opened again, the infection is highly likely to happen again.

Armageddon is focused on wreaking havoc in Ukraine. The group's primary objective is spying on the war-struck country’s security and defense forces. There’s also at least one known destructive activity on the infrastructure.

CERT-UA urges Ukrainian soldiers to use an EDR (endpoint detection and response) class protection software. Without proper protection technology, individual devices and the entire network are exposed to a higher risk of cyberattacks. Amongst the effective ways to minimize the threat is to limit running the mshta.exe, wscript.exe, cscript.exe, and powershell.exe processes.