Armageddon Stealer: Credential Theft Malware

Armageddon Stealer

Armageddon Stealer is a lightweight malware designed to exfiltrate credentials and other sensitive information. It is commonly delivered through phishing campaigns.

Key Insights

Armageddon Stealer is a tool used by the Armageddon group (Gamaredon) for espionage. This malware is designed to extract data from infected systems, login credentials, and files. Deployed via spear phishing emails with malicious attachments or links.

Functionality

Once executed Armageddon Stealer establishes persistence on the victim's machine, often using obfuscated Visual Basic Scripts (VBS) and scheduled tasks to keep its foothold. The malware can monitor newly connected logical volumes such as USB drives to exfiltrate data. It communicates with command-and-control (C2) servers to receive instructions and exfiltrate gathered data.

Evolution

Over time the Armageddon group has developed multiple versions of their malware to improve and evade. They have used different versions of the Pterodo backdoor, each with different C2 communication and obfuscation methods. This diversification helps to maintain persistence in the targeted network and makes detection harder.

Known Variants

The Armageddon group has used at least 4 versions of the Pterodo backdoor also known as Pteranodon. These versions have the same functionality but different C2 servers and obfuscation methods. Each version uses Visual Basic Script (VBS) droppers, scheduled tasks for persistence and downloads additional code from C2 servers.

Mitigation Strategies

Filter emails to detect and block phishing.
Keep systems up to date and patch.
Use advanced endpoint protection that can detect and block obfuscated scripts.
Train users to recognize and report phishing.

Targeted Industries or Sectors

Armageddon Stealer targets Ukrainian government entities, mainly security and defense services. The group is focused on cyber espionage, gathering intel from state bodies. There have been attacks against European Union state bodies too, so they are interested in governmental information.

Associated Threat Actors

The main threat actor behind Armageddon Stealer is the Armageddon group also known as Gamaredon, Primitive Bear or UAC-0010. They operate from the Russian-annexed Ukrainian Crimean peninsula and are believed to be sponsored by Russia’s Federal Security Service (FSB). Their modus operandi is phishing campaigns and custom malware for espionage.