CERT-UA warns of an ongoing SmokeLoader campaign

Ukraine’s CERT-UA warns of an ongoing phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file.

CERT-UA warns of an ongoing phishing campaign that is distributing the SmokeLoader malware in the form of a polyglot file.

Threat actors are using emails sent from compromised accounts with the subject “bill/payment” with an attachment in the form of a ZIP archive.

The JavaScript employed in the attack uses a PowerShell to download and execute an executable used to launch the SmokeLoader malware.

“The mentioned ZIP archive is a polyglot file containing a decoy document and a JavaScript file “pax_2023_AB1058..js” which, using PowerShell, will cause the executable file “portable.exe” to be downloaded and run. The latter, in turn, will launch the SmokeLoader malware (compilation date: 2023-04-24 11:45:17).” reads the alert published by Ukraine’s CERT.

The analysis of the domain name registration dates and the file compilation date suggests the campaign was launched in April 2023.

SmokeLoader acts as a loader for other malware, once it is executed it will inject malicious code into the currently running explorer process (explorer.exe) and downloads another payload to the system.

CERT-UA attributed the campaign to the financially motivated threat actor UAC-0006 which has been active since at least 2013. The threat actors focus on compromising accountants’ PCs (which are used to support financial activities, such as access to remote banking systems), stealing credentials, and making unauthorized fund transfers.

The CERT-UA pointed out that JavaScript loaders are typically used by this threat actor in the initial stage of an attack, for this reason, it recommends blocking the launch of wscript.exe (Windows Script Host) on the PC to temporarily minimize the probability of attack

“For this, in particular, in the registry branch “{HKEY_CURRENT_USER,HKEY_LOCAL_MACHINE}\Software\Microsoft\Windows Script Host\Settings” you need to add the entry “Enabled” (type: DWORD) with the value “0”. ” concludes the alert published by CERT.

The alert includes the Indicators of Compromise (IoCs).

A few days ago, CERT-UA warned of destructive cyberattacks conducted by the Russia-linked Sandworm APT group against the Ukraine public sector. The threat actors allegedly obtained access to Ukraine’s public networks by using compromised VPN credentials.

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CERT-UA)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.