Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a warning about a new phishing campaign designed to distribute SmokeLoader malware in the form of a polyglot file.
The attack involves email messages sent from compromised accounts, which include a ZIP file attachment, under the subject “bill/payment.” The JavaScript used in the attack utilises PowerShell to execute a programme to launch the SmokeLoader malware.
SmokeLoader acts as a loader for other malware, and once activated, it injects malicious code into the currently running explorer process, explorer.exe, and downloads another payload to the system.
The campaign, which CERT-UA attributed to the financially motivated threat actor UAC-0006, began in April 2023. The threat actors focus on compromising accountant’s PCs to gain access to financial systems, stealing credentials, and performing unauthorised fund transfers.
According to CERT-UA, the use of JavaScript loaders is a typical initial attack stage of UAC-0006, and it recommends that users temporarily block the launch of wscript.exe on their PCs to reduce the likelihood of an attack.
In addition to the phishing campaign, CERT-UA recently alerted the public to destructive cyberattacks conducted by Russia’s Sandworm APT group against Ukraine’s public sector. The hackers are believed to have gained access to the country’s public networks by using compromised VPN credentials. The warning highlights the persistent threat of cyberattacks and the need for robust security measures to protect critical systems and sensitive data.
