Pierluigi Paganini May 26, 2024

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006.

The Computer Emergency Response Team of Ukraine (CERT-UA) warned of surge in in cyberattacks linked to the financially-motivated threat actor UAC-0006.

UAC-0006 has been active since at least 2013. The threat actors focus on compromising accountants’ PCs (which are used to support financial activities, such as access to remote banking systems), stealing credentials, and making unauthorized fund transfers.

The government experts reported that the group carried out at least two massive campaigns since May 20, threat actors aimed at distributing SmokeLoader malware via email.

SmokeLoader acts as a loader for other malware, once it is executed it will inject malicious code into the currently running explorer process (explorer.exe) and downloads another payload to the system.

“Starting from May 20th, hackers have launched at least two massive campaigns with emails containing the SmokeLoader malware.” read the advisory published by CERT-UA.

The attackers sent out emails with ZIP archives containing an IMG files that serves as decoys for hidden EXE malware and ACCDB documents. The documents are weaponized Microsoft Access files, upon enabling the malicious macros they execute PowerShell commands to download and run EXE files.

The researchers observed that following the initial infection, additional malware such as TALESHOT and RMS are downloaded onto the targeted PC.

The UAC-0006 actor is using a botnet composed of several hundred infected machines.

“Currently, UAC-0006’s bot network consists of several hundred infected machines. CERT-UA believes that hackers may soon activate fraudulent schemes using remote banking systems.” continues the report.

CERT-UA warned Ukrainian CEOs to enhance cybersecurity measures for accountants’ automated workplaces. IT shared indicators of compromise for this campaign and is urging to implement proper security policies and protection mechanisms.

In May 2023, Ukraine’s CERT-UA warned of another phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file.

UAC-0006 is the most active financially-motivated threat actor targeting Ukraine businesses, has already attempted to steal tens of million hryvnias through mass online theft campaigns in August-October 2023.

CERT-UA published an article that provides more details of the group’s TTPs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)