Ukrainian cybersecurity authorities are reporting a significant increase in Smokeloader malware attacks targeting financial and government entities, with suspected Russian cybercriminals behind the surge. The attacks, which began in May, have involved intense phishing campaigns aimed at infiltrating systems and extracting sensitive information.
Smokeloader is a highly sophisticated malware, functioning primarily as a loader but with modular capabilities that include stealing credentials, executing distributed denial-of-service (DDoS) attacks, and intercepting keystrokes. The toolkit is available for a price ranging from $400 for the basic version to $1,650 for the complete package with all plugins and functions.
While researchers did not attribute the campaign to a specific hacker group, the prevalence of Russian domain registrars suggests potential ties to Russian cybercriminal operations. In an earlier incident, Ukraine’s Computer Emergency Response Team (CERT-UA) linked Smokeloader activity to a threat actor identified as UAC-0006, described as a financially motivated operation seeking to steal credentials and execute unauthorized fund transfers.
The recent campaign using Smokeloader targeted state, private, and financial institutions, with a focus on accounting departments. Attackers used carefully crafted, financially-themed emails to lure victims into downloading malicious attachments, capitalizing on a sense of urgency and relevance. To evade detection, the malware concealed itself within seemingly harmless financial documents, many of which were stolen from previously compromised organizations.
Besides infiltrating systems, Smokeloader also compromised money transfer processes, redirecting funds to attackers’ accounts by replacing legitimate account details. These evolving tactics highlight the multifaceted nature of the threat landscape in Ukraine, involving both financially motivated cybercriminals and state-sponsored hackers.