Suspected Russian cybercrime groups have been increasingly targeting state and financial institutions in Ukraine with the SmokeLoader malware, Ukraine's National Cyber Security Coordination Center (NCSСС) said in a new report.
The attacks have been ongoing since May 2023, with hackers using meticulously crafted phishing emails focused on financial themes to lure victims.
Once SmokeLoader is downloaded and run on the system, it establishes a connection with a pre-defined list of command-and-control (C&C) domains, many of which remain intentionally inaccessible acting as a decoy to make detection more difficult.
SmokeLoader first emerged in 2011 as a multifunctional modular malware strain implementing a lot of features such as process hollowing, anti-debugging, anti-hooking and anti-VM designed to thwart analysis and detection. The malware is able to collect system information (OS details, geographical data, etc.), credentials and cookies from browsers and email clients, execute DDoS attacks, intercept keystrokes, survey and control remote PCs with file manager features, collect email addresses and perform other actions.
In some cases, the intruders managed to hijack money transfers by swapping the legitimate account details and re-routing funds to attacker-controlled accounts, according to the report.
“The recent surge in Smokeloader attacks orchestrated by russian cybercriminals against Ukrainian institutions underscores the ever-evolving and diversified nature of cyber threats… These assailants not only intensified their operations but have also demonstrated a remarkable adaptability in their tactics, targeting the heart of financial operations. The threat landscape in Ukraine has thus evolved into a multifaceted arena, with financially motivated cybercriminals joining the fray alongside state-sponsored actors,” the NCSСС concluded.