30 May 2023

Ukraine’s CERT warns of a new wave of SmokeLoader attacks


Ukraine’s CERT warns of a new wave of SmokeLoader attacks

Ukraine’s Computer Emergency Response Team (CERT-UA) said it detected a new phishing campaign by the UAC-0006 threat actor delivering the SmokeLoader malware

First detected in 2011, SmokeLoader is primarily a loader, and its main objective is to download or load a stealthier or more effective malware into the system. SmokeLoader variants are used for the purpose of information stealing, botnet, backdoor as well. SmokeLoader has also been used to load cryptominers, ransomware, banking trojans, and point of sale (PoS) malware.

The new campaign involves phishing emails using lures centered around invoices sent from previously compromised email accounts. The threat actor uses several methods to deliver the malware on the target system:

  • EML -> ZIP -> HTML (JavaScript) -> ZIP -> JavaScript (loader) -> EXE -> SmokeLoader

  • EML -> RAR -> VHDX -> JavaScript (loader) -> EXE -> SmokeLoader

  • EML -> RAR -> VHD -> JavaScript (loader) -> EXE -> SmokeLoader

The researchers say that they discovered a VHDX-file among the deleted files, which was Cobalt Strike Beacon malware.

The team notes that UAC-0006, which is characterized as a financially motivated operation, has changed some of its TTPs (tactics, techniques, and procedures), including the use of multiple infection methods, and the Cobalt Strike Beacon tool, indicating that the threat actor is expanding its malware arsenal.

Furthermore, the observed SmokeLoader variant contained 26 URLs associated with a botnet server, with most of them being unregistered domains.

The threat actor uses Russia-based registrars and providers to register domain names and host command and control infrastructure, including @reg.ru, @nic.ru, @iqhost.ru, @macloud.ru, @cloudx.ru.

Last week, CERT-UA warned of a cyber-espionage operation targeting an unnamed state entity in Ukraine. Tracked as UAC-0063, the activity appears to be part of a broader effort targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024