PolySwarm Threat Bulletin: Armageddon Activity Targeting Ukraine

Background

Last week we released a report and blog post on the Russia-Ukraine conflict, past cyber altercations between the two nations, and potential cyber implications if the current conflict escalates. In our report, we mentioned historical activity perpetrated by the threat actor group Armageddon. Palo Alto’s Unit 42 recently reported ongoing activity targeting Ukraine, which they attributed to Armageddon, also known in the industry as Gameredon or Primitive Bear. While Unit 42 did not elaborate on the magnitude or implications of these attacks, they did provide a breakdown of Armageddon’s infrastructure.

Who is Armageddon?

According to Unit 42, Armageddon is currently one of the most active APT groups targeting Ukrainian assets. The group’s activity has traditionally involved espionage activity aligned with Russian interests. In November 2021, the Security Service of Ukraine (SSU) publicly linked five Russian Federal Security Service (FSB) officers based in Crimea to the group. A report by the SSU stated Armageddon has been active since at least 2014 and has engaged in multiple cyber-espionage campaigns from 2017-2021. The SSU report notes Armageddon does not typically use sophisticated TTPs and does not seem to emphasize OPSEC. Some of the tools and TTP used by Armageddon include spearphishing, Pteranodon RAT, PowerShell, FileStealer, and EvilGnome.

Armageddon Infrastructure

Unit 42 mapped out Armageddon’s infrastructure and discovered three major clusters made up of over 700 malicious domains, 215 IP addresses, and 100 samples of malware. While monitoring these clusters, Unit 42 reportedly observed Armageddon targeting a Western government entity based in Ukraine on January 19th of this year, presumably with espionage as a goal.

Unit 42’s report includes a breakdown of the three Armageddon infrastructure clusters they identified:

• Cluster 1 is used for initial downloaders for Armageddon’s tools and malware. 
• Cluster 2 is used for Armageddon’s file stealer tools. 
• Cluster 3 is associated with Armageddon’s Pteranodon RAT. 

They note instead of abandoning domains after a campaign, the group tends to recycle their domains, rotating them across new infrastructure. For example, the domain name libre4[.]space has been attributed to the group since at least 2019 but is still active and resolves to new IP addresses daily. Unit 42’s mapping of Armageddon infrastructure discovered both legacy domains previously used by the group and new, unused domains. Unit 42 assesses Armageddon rotates their domains out regularly as a sort of shell game to obfuscate their activity and evade researchers. Unit42 has published IOCs from their research on GitHub, including domains and IP addresses associated with Armageddon’s infrastructure.

IOCs

PolySwarm has multiple samples associated with Armageddon activity, including Pteranodon RAT samples. Contact us for more information.

Hashes

d8a01f69840c07ace6ae33e2f76e832c22d4513c07e252b6730b6de51c2e4385

695fabf0d0f0750b3d53de361383038030752d07b5fc8d1ba6eb8b3e1e7964fa

74cb6c1c644972298471bff286c310e48f6b35c88b5908dbddfa163c85debdee

986905caada61f2ea4aebd5664ed71cc9109a3886b998d91433216f30dc6b0e7

029005b595c5b9f3c7ddb49883b325f8f0bf5d13b18010a38d04b15f227d2052

9d085a26813cd1aa43e12d9b90aeb24df6269db92b965f61d93a8018d6b8a0cf

f08c54c4d8a470f96a0acf6aefeb95c49a8704a473d6105a921a18917e1747fa

393475dc090afab9a9ddf04738787199813f3974a22c13cb26f43c781e7b632f

3dca96ef38d4b8d1dbb4afed43a22ace93cc3a0a105120d4cf637e6dafe129e9

3c5fe61dfd3152af1ff814af0636cfd377f0c3fab53868fc3e19fd46b8a9e961

ffb6d57d789d418ff1beb56111cc167276402a0059872236fa4d46bdfe1c0a13

043d696c2199d61ee0a09be93e387498c6a53188c3e3ec20acfeccc9c9aeb251

535f533b1008a55c89cab7f4d4163e609d0d6e5b512002022d2634e74e84edf9

07698f9b727daec99c446525aca889fc086e3cf6e3c307afdd72adff0113ceb0

3e1d17efe857c935869fc28ce94c3528f7f5232fcebd40442a7c3c388e3d69be

1164ba0688458c44b2063894100ecdc52221eb85b82a5044c55043e7918d4a19

9a9d8cd54ee439d781ba9499ac1d4a878007c995f59f72ccaad4a7a6c3793938

bda512a34622dac188d6b93caad4d8e3667e4f6b1e9078d259ccea6f988c2320

d93551a9fa3ad9bdbb0f10dd447046e03a29bbb36245ac4245b80d982a78a930

652d9bc90cc1833f667508c7f794237a0945c875c61370e54c73073ba27e7c85

352b5ec506823ffc008e7b71b2968a282ea6ac08cf372ac23cc87d957ecbd889

8a9f45e819513fd02aa0521aea3a0d85490c91523227b130d7ff08d12b8820ae

280a55919e502ecb66082107374e5b71a534338a8a7c02680cc4f1f84a204d59

f8dcd730cd06b18dc109473b7dac83c4f74f5c0c864cecc80bbf9e8bae974d8e

72086e3e2992e60f2fdd35049653478db397cad5b81c59789ce0aae0590ce78b

f54c01295b27acf46f90ab22f23a5918be2a0cec329d55766a82e483b8cfeff3

884c15502dbd6fe6dd4fca322904a38bce117ab6ed102ab2da84dfb4064c3e44

304de8f4548cb616c97fcc841132a704f449c5dae709e7d1fb25810e7136cb46

42f8223ba588d510e2f2a00ca6500ba1b71684509f10695a156069876600ccdc

3fede347c45eccd0967431b7496672d43b057a3a3e42dc2922421cb7f2457d43

803f8c5827e151d7571c06d1c1a8f0dca23cc2ff377efa6744e6a98f8c297c37

ac4ea751ca1382550efb2d3f4df9242f4541836b0e82deb49847f763afdf20ca

849c372906c0f9815832e8178a829b5196150bc402a0aa081e5621f336508292

90548a2e2a8139805377bfcd3a0d8f044c2cbfa1be6f54eda9e798f0a27a2fb4

00e5afc3cd0760434f9812ac569e8c00c27a82ef4312e6290d351a88498efa8d

182ec5f3859a78ce0c42995ecf63a0e412ff189b02b57a20057d2886a9098d88

c6236e293e6dc2ec419d24e81d810dc16a7dc162d8e5fc19e5c44b44f4819a18

7c7c8548b7657c34e2b654919edbe848d460ab93630021e8e9743f8204cb0c76

367117e3acf6317b4cec64e514d461f9e761146aca0cb6eed9ef5a1fb35b63cc

7de5526d2c3c48b3fd239c87f7ab3c4ce4b26077bbdbf05fc88a9b84d6fb309b

e56254b6b78f0bdc82cddff15c49f5b56ffef9aa105f1aae435504d1cdfe3310

0fb55f55ffca9927472f7ada8fdd9d84bc57108860be0f1c737d5111d3020b5a

7fb37a7ef155120320dbf63f781af32cc2c8db3e590c7472a44fe84d4128f3ec

96ce576f383584e0a62225a91bb50fc7fd8efa068443c4785373c86f51d2e3eb

2407793f8bd2b4f3b9b14c4227b6110e48bb0b5388d181cf9eaa9585f4d595b1

8831eb86996d4778be526a6fd281c98d624b155940aae463b45dda1c5f979f1c

e4d309735f5326a193844772fc65b186fd673436efab7c6fed9eb7e3d01b6f19

84e80cbe5e3b8c0f8cde4fcd1c72551f57c46334fcdb49c90eb8ff1b942d1438

edecec2c413770fa929937c04ecf889e5c58d562c6e08ef0bfcd65ce482d397c

23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029

3aac1c049eb628e1c289d3fc3a209f9262ed4cef862a3e2157bd6f3b02cc4698

ccd5f196de54ac8ba5d5c3612f8807091f6c23dd501fa64161a161849f65f2a2

b9dd1e5ec018090b404dd7550d4423ff38ee1f016a5ab214f128544f5b399759

c77fb3d3053958ea3aa4419e2bf4d0caf14f6c74047216e789628d095cc9e733

a67e5d562e754426e061c74b04af19d8f59a9bfe5134d5bb6ed4d429d022840a

8762522851f33de2707725cd7a89879c0b0afbd32bd34e2ac4443e4cbf285640

ef46fd0f387dcb8946e9be11535ac7c24d5c2380493deb4b1700b62f60ffc74d

df70346afd410d3ba26eeeb0194fc7e6d427bfafef9a34b9efd49936ca9e273b

b7a814deba56c6905c72d744d02398d46b34e9d1d7d02b5a501b1bddaf566407

61e67302a85ff98eabc589572dbf3bf6e1012207d399b9f2b6b38527833e9198

a60df90504735f4e424ec0842e328181d7e93ac9ecd8193e892584871643bec7

cbe1dbd167bccbf61ee8608092a767ce3fbfb5fe5f6e959848d9a8d9091402fb

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports