SmokeLoader Campaign Intensifying, Ukrainian CERT WarnsMalware Has 2nd-Highest Number of Detections Domestically in May and June
Ukrainian cyber defenders said a financially motivated threat actor is intensifying efforts to entice users into installing a backdoor Trojan known as SmokeLoader.
SmokeLoader is the name for a large family of Trojans known since 2011 that can be used to load malware but also have plug-ins for information exfiltration. Mitre called the malware "notorious for its use of deception and self-protection."
Effects on the financial sector of stepped-up hacking activity in Ukraine following Russia's February 2022 invasion of its European neighbor go far beyond the country's borders. In a recent annual threat assessment, the Financial Services Information Sharing and Analysis Center called the Russian invasion "by far, the most significant impact of the financial services cyber threat landscape." Hacktivists, ransomware attacks and distributed denial-of-service attacks are examples of the "range of cyber activity that has been seen since the invasion of Ukraine," the U.S.-based organization warned.
The State Service of Special Communications and Information Protection of Ukraine said the malware has the second-highest number of detections domestically during in the months of May and June.
The latest attacks use attachments in the form of archive files. Extracting the attachments starts an infection chain that ultimately launches SmokeLoader.
The increased activity of UAC-0006 hackers may lead to a bump in the number of fraud cases using remote banking systems, CERT-UA said. The hacker group is typically interested in compromising accountants' computers that are used in financial activities to steal authentication data such as login credentials and certificates in order to perform unauthorized payments.
"Business managers and accountants need to pay attention to strengthening the protection of automated workplaces designed for the formation, signing and transfer of payments through the use of software protection tools," the SSSCIP said.