Ukraine’s Computer Emergency Response Team (CERT-UA) said it detected a new phishing campaign by the UAC-0006 threat actor delivering the SmokeLoader malware

First detected in 2011, SmokeLoader is primarily a loader, and its main objective is to download or load a stealthier or more effective malware into the system. SmokeLoader variants are used for the purpose of information stealing, botnet, backdoor as well. SmokeLoader has also been used to load cryptominers, ransomware, banking trojans, and point of sale (PoS) malware.

The new campaign involves phishing emails using lures centered around invoices sent from previously compromised email accounts. The threat actor uses several methods to deliver the malware on the target system:

• EML -> ZIP -> HTML (JavaScript) -> ZIP -> JavaScript (loader) -> EXE -> SmokeLoader

• EML -> RAR -> VHDX -> JavaScript (loader) -> EXE -> SmokeLoader

• EML -> RAR -> VHD -> JavaScript (loader) -> EXE -> SmokeLoader

The researchers say that they discovered a VHDX-file among the deleted files, which was Cobalt Strike Beacon malware.

The team notes that UAC-0006, which is characterized as a financially motivated operation, has changed some of its TTPs (tactics, techniques, and procedures), including the use of multiple infection methods, and the Cobalt Strike Beacon tool, indicating that the threat actor is expanding its malware arsenal.

Furthermore, the observed SmokeLoader variant contained 26 URLs associated with a botnet server, with most of them being unregistered domains.

The threat actor uses Russia-based registrars and providers to register domain names and host command and control infrastructure, including @reg.ru, @nic.ru, @iqhost.ru, @macloud.ru, @cloudx.ru.

Last week, CERT-UA warned of a cyber-espionage operation targeting an unnamed state entity in Ukraine. Tracked as UAC-0063, the activity appears to be part of a broader effort targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India.