Your hacker Blog

CERT-UA warns of an ongoing SmokeLoader campaign

SmokeLoader campaign

Ukraine’s CERT-UA warns of an ongoing phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file.

CERT-UA warns of an ongoing phishing campaign that is distributing the SmokeLoader malware in the form of a polyglot file.

Threat actors are using emails sent from compromised accounts with the subject “bill/payment” with an attachment in the form of a ZIP archive.

The JavaScript employed in the attack uses a PowerShell to download and execute an executable used to launch the SmokeLoader malware.

“The mentioned ZIP archive is a polyglot file containing a decoy document and a JavaScript file “pax_2023_AB1058..js” which, using PowerShell, will cause the executable file “portable.exe” to be downloaded and run. The latter, in turn, will launch the SmokeLoader malware (compilation date: 2023-04-24 11:45:17).” reads the alert published by Ukraine’s CERT.

The analysis of the domain name registration dates and the file compilation date suggests the campaign was launched in April 2023.

Smokeloader is loader for malware

SmokeLoader acts as a loader for other malware, once it is executed it will inject malicious code into the currently running explorer process (explorer.exe) and downloads another payload to the system.

CERT-UA attributed the campaign to the financially motivated threat actor UAC-0006 which has been active since at least 2013. The threat actors focus on compromising accountants’ PCs (which are used to support financial activities, such as access to remote banking systems), stealing credentials, and making unauthorized fund transfers.

The CERT-UA pointed out that JavaScript loaders are typically used by this threat actor in the initial stage of an attack, for this reason, it recommends blocking the launch of wscript.exe (Windows Script Host) on the PC to temporarily minimize the probability of attack

“For this, in particular, in the registry branch “{HKEY_CURRENT_USER,HKEY_LOCAL_MACHINE}SoftwareMicrosoftWindows Script HostSettings” you need to add the entry “Enabled” (type: DWORD) with the value “0”. ” concludes the alert published by CERT.

Indicators of Compromise (IoCs).

A few days ago, CERT-UA warned of destructive cyberattacks conducted by the Russia-linked Sandworm APT group against the Ukraine public sector. The threat actors allegedly obtained access to Ukraine’s public networks by using compromised VPN credentials.

 

The post CERT-UA warns of an ongoing SmokeLoader campaign appeared first on Security Affairs.