SmokeLoader Campaign Intensifying, Ukrainian CERT Warns

Ukrainian cyber defenders said a financially motivated threat actor is intensifying efforts to entice users into installing a backdoor Trojan known as SmokeLoader.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

The Computer Emergency Response Team of Ukraine has repeatedly warned the domestic financial sector this year that a group it tracks as UAC-0006 is using compromised email addresses to send phishing emails with attachments of compressed files containing JavaScript loaders (see: Ukrainian CERT Warns of New SmokeLoader Campaign).
CERT-UA this week issued a new alert, stating that it had spotted UAC-0006 activity on Friday and Monday. The attacks were preceded by an additional burst of UAC-0006 attacks, raising the total number of spotted threat actor attack waves to three over the past 10 days, said CERT-UA parent agency the State Service of Special Communications and Information Protection.

SmokeLoader is the name for a large family of Trojans known since 2011 that can be used to load malware but also have plug-ins for information exfiltration. Mitre called the malware “notorious for its use of deception and self-protection.”

Effects on the financial sector of stepped-up hacking activity in Ukraine following Russia’s February 2022 invasion of its European neighbor go far beyond the country’s borders. In a recent annual threat assessment, the Financial Services Information Sharing and Analysis Center called the Russian invasion “by far, the most significant impact of the financial services cyber threat landscape.” Hacktivists, ransomware attacks and distributed denial-of-service attacks are examples of the “range of cyber activity that has been seen since the invasion of Ukraine,” the U.S.-based organization warned.

The State Service of Special Communications and Information Protection of Ukraine said the malware has the second-highest number of detections domestically during in the months of May and June.

The latest attacks use attachments in the form of archive files. Extracting the attachments starts an infection chain that ultimately launches SmokeLoader.

The increased activity of UAC-0006 hackers may lead to a bump in the number of fraud cases using remote banking systems, CERT-UA said. The hacker group is typically interested in compromising accountants’ computers that are used in financial activities to steal authentication data such as login credentials and certificates in order to perform unauthorized payments.

“Business managers and accountants need to pay attention to strengthening the protection of automated workplaces designed for the formation, signing and transfer of payments through the use of software protection tools,” the SSSCIP said.