Armageddon APT aka UAC-0010 Uses GammaLoad and GammaSteel Malware in Targeted Cyber-Attacks on Ukraine

Posted on


With the outbreak of world cyber warfare, the malicious exercise of the Armageddon cyber espionage group, also referred to as Gamaredon or UAC-0010, has been within the highlight within the subject of cyber threats concentrating on Ukrainian state companies. The hacker collective launched a sequence of cyber phishing assaults, together with campaigns in Could that unfold the GammaLoad.PS1_v2 malware and in April 2022. On August 10, 2022, CERT-UA launched a brand new alert warning cyber defenders of ongoing cyber phishing assaults in Ukraine. profiting from GammaLoad and GammaSteel malware.

Armageddon APT (UAC-0010) Exercise – Evaluation of the newest campaigns spreading the GammaLoad and GammaSteel payloads

All through the primary half of 2022, ever since Russia’s full-scale invasion of Ukraine, the notorious Russian nation-backed APT group, tracked as Armageddon, also referred to as UAC-0010, has been actively exploiting the vector phishing assaults and launching a number of malicious campaigns concentrating on Ukraine. The hacker collective has been massively distributing HTM droppers that set off an infection chains and deploy the GammaLoad.PS1 payload on compromised programs.

In accordance with cybersecurity analysis lined in CERT-UA alert CERT-UA#5134, attackers goal to steal information based mostly on the outlined record of extensions together with person credentials from net browsers. To achieve entry to this delicate information, menace actors leverage the GammaSteel.PS1 and GammaSteel.NET malware, the previous being the PowerShell iteration of the beforehand utilized HarvesterX information stealer.

Within the newest campaigns, the Armageddon APT group additionally resorts to distant template injection assaults by infecting the template file utilizing a malicious macro that generates a URL and provides it as an attachment to the newly created doc. This results in infecting all of the information created on the sufferer’s pc together with their subsequent unintentional distribution by the compromised person.

Menace actors primarily apply scheduled duties, the Execute registry department, and altering environments to realize persistence and deploy payloads, in addition to execute malicious PowerShell scripts and abuse official executable information akin to wscript.exe both mshta.exe.

Armageddon APT alias UAC-0010 Malicious Exercise Detection

As a result of rising volumes of phishing campaigns attributed to the exercise of the Russian-linked Armageddon APT group adversary, cybersecurity professionals are on the lookout for new methods to well timed establish the malicious presence of associated malware of their setting. SOC Prime’s detection-as-code platform gives a curated record of Sigma guidelines tagged accordingly based mostly on the group identifier “UAC-0010” to simplify content material attempting to find associated malicious exercise. Excessive-fidelity alerts and search queries from this assortment of detection algorithms will be transformed to industry-leading SIEM, EDR, and XDR applied sciences.

Observe the hyperlink beneath for fast entry to the devoted detection stack obtainable instantly from the SOC Prime Cyber ​​Menace Search Engine, together with full contextual data enriched with MITER ATT&CK® and CTI references, executable binaries linked to Sigma guidelines and most related metadata:

Sigma Guidelines to Proactively Defend Towards Malicious Armageddon Group Exercise APT/UAC-0010

Menace Hunters and Cyber ​​Menace Intelligence specialists also can search for indicators of compromise related to malicious exercise from the UAC-0010 group lined within the newest CERT-UA alert. Moreover, groups can leverage Uncoder.CTI to generate related customized IOC queries able to run within the chosen SIEM or XDR setting.

IOCs to search for malicious activity of the UAC-0010 group with Uncoder.CTI

For extra Sigma guidelines for detecting malicious exercise by the Armageddon hacker collective, also referred to as Gamaredon, click on the detect and hunt button. Unregistered SOC Prime customers also can immediately entry context-rich detections for associated threats utilizing our cyber menace search engine by clicking the button Discover menace context button beneath.

Detect and hunt Discover menace context


To delve into the context of MITER ATT&CK associated to the malicious exercise of Armageddon menace actors (UAC-0010), the entire Sigma guidelines inside the aforementioned detection stack are aligned with the MITER ATT&CK® framework that addresses the techniques and corresponding methods:

Armageddon APT aka UAC-0010 Uses GammaLoad and GammaSteel Malware in Targeted Cyber-Attacks on Ukraine