The Ukrainian Computer Emergency Response Team (CERT) has monitored an uptick of phishing emails distributed by a Russian cybercriminal group known as Armageddon. The malicious emails of the Armageddon group, also known as Gamaredon, infect targeted systems with malware for espionage campaign purposes.
The agency has discovered two cases of phishing campaigns that they attribute to the threat group. According to their report, one of the phishing attacks exclusively targets Ukrainian private firms, while the other focuses on the government sector in the European Union.
In one of the confirmed cases, emails were sent by the threat actors to the government of Latvia. Hence, the same phishing attack might also be targeting European governments.
The phishing emails of Armageddon highlight the war criminals of the Russian Federation to lure targets.
Armageddon’s phishing attacks against Ukrainians spread emails with detailed information regarding Russian war criminals. These emails can pique the interests of many unaware users since there is a current conflict within their region.
The researchers said that the emails were from a vadim_melnik88@i[.]ua, and it contained an HTML attachment that they claimed to have a low detection rate by present security software in Ukraine. If a user opens the malicious email, a RAR file is developed by the payload inside the email and drops immediately on the infected device. Moreover, any recipient who accesses the LNK file will automatically download another HTA file loaded with VBScript code that operates a PowerShell Script to acquire the final malware.
In this threat campaign, the researchers found adversaries targeting several European government officials, where the threat actors utilise RAR archive attachments called “Necessary_military_assistance.” Moreover, the archives have shortcut files that include a list of stages required for humanitarian and military assistance. Opening the file initiates an identical malware infection mentioned in this article earlier.
Lastly, the email sender’s address is the most convincing of all the baits employed by the threat actors since the site used seems to be legitimate, and the signee looks to be the Deputy Commander for Armaments in Ukraine.
The arrival of the Russian forces in the Ukrainian territory has paved the way for numerous cyberattacks against the invaded country. The current phishing campaigns conducted by the Armageddon group are the latest addition to the long list of threat groups that target Ukraine.