Ukrainian CERT Warns of New SmokeLoader CampaignHackers Using Compromised Email Addresses to Deliver the Malware
Ukrainian cyber defenders are warning users for the second time this month to be aware of financially motivated phishing campaigns that load the SmokeLoader malware onto computers.
SmokeLoader is the name for a large family of Trojans known since 2011 that can be used to load additional malware but also has plug-ins for information exfiltration. Mitre said the malware is "notorious for its use of deception and self-protection."
Cyber defenders also say the campaign may attempt to load Cobalt Strike Beacon - penetration testing software used to execute PowerShell scripts, download files and surveil users.
A SmokeLoader sample analyzed by CERT-UA contained a list of 26 URLs for command-and-control servers, although the vast majority of the domains were unregistered. The hackers use Russian domain name registrars and providers. The government agency says UAC-0006 is financially motivated and typically targets computers used by accountants. It looks for access to banking systems and credential data in order to create unauthorized payments.
CERT-UA earlier this month spotted UAC-0006 using compromised email accounts with the subject "bill/payment" and an attached
.zip file containing a SmokeLoader launcher.