Based on the Computer Emergency Response Team of Ukraine (CERT-UA), the SmokeLoader malware is now being spread via a phishing campaign using lures centered around invoices. A ZIP folder containing a fake document and a JavaScript file is attached to the emails, which the agency says were sent from hacked accounts.
After the JavaScript is run, an executable is launched, which opens the way for the installation of the SmokeLoader virus. SmokeLoader is a loader that has been around since 2011, and its main goal is to download and install more, more malicious software onto affected systems.
According to CERT-UA, the activity was carried out by a threat actor known as UAC-0006 for financial gain, with the theft of credentials and illegal money transfers as its end goals.
Additionally, Ukraine’s cybersecurity authorities disclosed in an alert the devastating attacks carried out by the group UAC-0165 on government institutions.
The attack, which was directed at an undisclosed government agency, made use of a new piece of wiper malware, RoarBAT, which searches for files with a predetermined set of extensions and then deletes them permanently by exploiting a valid copy of WinRAR.
The “-df” command-line option was used to archive the discovered files, and then those archives were deleted. A timed task carried out the batch script’s instructions.
Concurrently, a bash script was used to infiltrate Linux systems by utilizing the dd utility to overwrite files with zero bytes, so evading detection by antivirus programs.
According to CERT-UA’s findings, “the destructive impact carried out with the appropriate software was found to have impaired the operability of electronic computers” (server equipment, automated user workplaces, data storage systems).
Attackers allegedly log in to the targeted industrial control system (ICS) using VPN while using stolen credentials. Multi-factor authentication was not used for distant VPN connections, which allowed the attack to be carried out successfully.
The agency also ascribed UAC-0165 to the infamous Sandworm group (also known as “FROZENBARENTS”, “Seashell Blizzard”, or “Voodoo Bear”), which has a previous record of releasing wiper assaults since the beginning of the Russo-Ukrainian war last year, albeit with only modest confidence.
Significant similarities exist between this attack and another catastrophic one on the Ukrainian official news agency Ukrinform in January 2023, which has been linked to the antagonistic collective, and this is where the connection to Sandworm comes from.
These warnings come after CERT-UA issued a week ago a similar warning about phishing attempts using bogus Windows update notifications against government bodies in the country, which were carried out by the Russian state-sponsored group APT28.
Conclusion
CERT-UA reports that invoice-themed phishing campaigns are spreading SmokeLoader malware. The agency says hijacked accounts sent emails with a ZIP package containing a bogus document and JavaScript file. After running JavaScript, an executable launches, allowing SmokeLoader malware installation. Since 2011, SmokeLoader has downloaded and installed additional malware onto impacted PCs.
CERT-UA reported that UAC-0006 stole passwords and illegally transferred money for financial benefit. Ukraine’s cybersecurity authorities warned of UAC-0165’s destructive attacks on government institutions. RoarBAT, a new wiper malware, exploited WinRAR to look for files with a preset set of extensions and erase them permanently in the attack on an unidentified government organization. The “-df” command-line option archived and deleted the found files. Timed tasks executed batch scripts.
