Attack Surface Management , Security Operations

Ukrainian CERT Warns of New SmokeLoader Campaign

Hackers Using Compromised Email Addresses to Deliver the Malware
Ukrainian CERT Warns of New SmokeLoader Campaign
Image: Shutterstock

Ukrainian cyber defenders are warning users for the second time this month to be aware of financially motivated phishing campaigns that load the SmokeLoader malware onto computers.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

The Computer Emergency Response Team of Ukraine in a Monday alert said hackers tracked as UAC-0006 use compromised email addresses to send compressed files containing JavaScript loaders for SmokeLoader.

SmokeLoader is the name for a large family of Trojans known since 2011 that can be used to load additional malware but also has plug-ins for information exfiltration. Mitre said the malware is "notorious for its use of deception and self-protection."

Cyber defenders also say the campaign may attempt to load Cobalt Strike Beacon - penetration testing software used to execute PowerShell scripts, download files and surveil users.

A SmokeLoader sample analyzed by CERT-UA contained a list of 26 URLs for command-and-control servers, although the vast majority of the domains were unregistered. The hackers use Russian domain name registrars and providers. The government agency says UAC-0006 is financially motivated and typically targets computers used by accountants. It looks for access to banking systems and credential data in order to create unauthorized payments.

CERT-UA earlier this month spotted UAC-0006 using compromised email accounts with the subject "bill/payment" and an attached .zip file containing a SmokeLoader launcher.

Since the SmokeLoader JavaScript loader is activated using Microsoft's automated scripting tool Windows Script Host, CERT-UA recommends limiting end-user access to the tool.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.